Use-cases
When provisioning Databricks account-level resources (like metastores) via HCP Terraform (Terraform Cloud), attempting to authenticate using Azure OIDC (Federated Identity Credentials) fails.
Currently, OIDC authentication is supported for GitHub Actions using auth_type = "github-oidc-azure". However, executing this within HCP Terraform runners throws the following error:
Error: cannot read metastore: failed during request visitor: github-oidc-azure auth: not configured.
Standard workarounds—such as using the azurerm provider to mint an AAD token via an external data source running az account get-access-token—are not viable because HCP Terraform runners do not have the Azure CLI installed natively.
This limitation currently forces us to fall back to using static azure_client_secret credentials.
Proposal
The databricks provider should natively support Azure OIDC authentication for HCP Terraform environments without relying on the Azure CLI or the github-oidc-azure auth type.
Ideally, the provider should automatically detect the ARM_OIDC_TOKEN, ARM_CLIENT_ID, and ARM_TENANT_ID environment variables that are natively injected by HCP Terraform's Dynamic Provider Credentials, functioning similarly to the azurerm provider's OIDC implementation.
Use-cases
When provisioning Databricks account-level resources (like metastores) via HCP Terraform (Terraform Cloud), attempting to authenticate using Azure OIDC (Federated Identity Credentials) fails.
Currently, OIDC authentication is supported for GitHub Actions using
auth_type = "github-oidc-azure". However, executing this within HCP Terraform runners throws the following error:Error: cannot read metastore: failed during request visitor: github-oidc-azure auth: not configured.Standard workarounds—such as using the
azurermprovider to mint an AAD token via anexternaldata source runningaz account get-access-token—are not viable because HCP Terraform runners do not have the Azure CLI installed natively.This limitation currently forces us to fall back to using static
azure_client_secretcredentials.Proposal
The
databricksprovider should natively support Azure OIDC authentication for HCP Terraform environments without relying on the Azure CLI or thegithub-oidc-azureauth type.Ideally, the provider should automatically detect the
ARM_OIDC_TOKEN,ARM_CLIENT_ID, andARM_TENANT_IDenvironment variables that are natively injected by HCP Terraform's Dynamic Provider Credentials, functioning similarly to theazurermprovider's OIDC implementation.