Skip to content

Make GCP SA token refresh non-blocking with warning on failure#1544

Merged
hectorcast-db merged 2 commits intomainfrom
hectorcast-db/stack/port/gcp-sa-token-non-blocking
Mar 17, 2026
Merged

Make GCP SA token refresh non-blocking with warning on failure#1544
hectorcast-db merged 2 commits intomainfrom
hectorcast-db/stack/port/gcp-sa-token-non-blocking

Conversation

@hectorcast-db
Copy link
Contributor

@hectorcast-db hectorcast-db commented Mar 16, 2026
edited
Loading

🥞 Stacked PR

Use this link to review incremental changes.

Summary

  • Port of Python SDK PR Make GCP SA token refresh non-blocking with warning on failure databricks-sdk-py#1330
  • Add serviceToServiceVisitorWithFallback() that logs a warning and skips the secondary header when the SA token source fails, instead of returning an error
  • GoogleDefaultCredentials now always attempts to create an SA token source regardless of config type, falling back gracefully on failure
  • GoogleCredentials also uses the fallback visitor

Test plan

  • TestServiceToServiceVisitorWithFallback_BothSucceed
  • TestServiceToServiceVisitorWithFallback_SecondaryFails_SkipsHeader
  • TestServiceToServiceVisitorWithFallback_PrimaryFails_ReturnsError

NO_CHANGELOG=true

This pull request was AI-assisted by Isaac.

This was referenced Mar 16, 2026
Closed
Merged
Merged
Merged
Merged
Merged
@hectorcast-db hectorcast-db force-pushed the hectorcast-db/stack/port/gcp-sa-token-non-blocking branch from 70e6e94 to cd4922a Compare March 16, 2026 12:07
@hectorcast-db hectorcast-db force-pushed the hectorcast-db/stack/port/gcp-sa-token-non-blocking branch from cd4922a to 41ef7b4 Compare March 16, 2026 13:08
@hectorcast-db hectorcast-db marked this pull request as ready for review March 16, 2026 13:35
github-merge-queue bot pushed a commit that referenced this pull request Mar 16, 2026
@hectorcast-db
Call resolveHostMetadata on Config init (#1542)
42f84f1 
## 🥞 Stacked PR
Use this
[link](https://github.com/databricks/databricks-sdk-go/pull/1542/files)
to review incremental changes.
-
[**stack/port/resolve-host-metadata-on-init**](#1542)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1542/files)]
-
[stack/port/resolve-token-audience-from-metadata](#1543)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1543/files/20b6cd4abc1a3284d586c88f802c4b7df2678062..9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a)]
-
[stack/port/gcp-sa-token-non-blocking](#1544)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files/9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a..07e28b7aef05ada2f357f87faa749c6990be8173)]
-
[stack/port/test-environment-type](#1545)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/07e28b7aef05ada2f357f87faa749c6990be8173..0da1b0d546ab8842dffbd50aa55fb136bbeffddf)]
-
[stack/port/host-metadata-integration-test](#1546)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/0da1b0d546ab8842dffbd50aa55fb136bbeffddf..e9854aad19dc522ffe8def175bef3a3eabface2b)]
-
[stack/port/remove-unified-flag](#1547)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/e9854aad19dc522ffe8def175bef3a3eabface2b..fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6)]
-
[stack/port/gcp-sa-from-metadata](#1548)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6..ecb1dbeed4ed1990a74895c6ced958c05f16ffef)]

---------
## Summary
- Port of Python SDK PR
databricks/databricks-sdk-py#1318 and discovery
URL fix from PR
databricks/databricks-sdk-py#1332
- Extract `applyHostMetadata()` from `resolveHostMetadata()` for reuse
during config init
- Call host metadata resolution during `EnsureResolved()` for unified
hosts (gated behind `Experimental_IsUnifiedHost`), with non-fatal error
handling (warns on failure)
- OIDC endpoint from metadata is now treated as the OIDC root, with
`/.well-known/oauth-authorization-server` appended to form the full
discovery URL

## Test plan
- `TestEnsureResolved_ResolvesHostMetadata_WhenUnifiedHost` — verifies
fields populated from metadata
- `TestEnsureResolved_HostMetadataFailure_NonFatal` — 500 response,
config still resolves
- `TestEnsureResolved_HostMetadata_NoOidcEndpoint_NonFatal` — missing
oidc_endpoint, no error
-
`TestEnsureResolved_HostMetadata_MissingAccountIdWithPlaceholder_Warns`
— template needs account_id but missing
- Existing `resolveHostMetadata` tests updated for new discovery URL
format

NO_CHANGELOG=true

This pull request was AI-assisted by Isaac.
tejaskochar-db
tejaskochar-db approved these changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@tejaskochar-db tejaskochar-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM mod comment

@hectorcast-db hectorcast-db force-pushed the hectorcast-db/stack/port/gcp-sa-token-non-blocking branch from 07e28b7 to ab7e3d8 Compare March 17, 2026 08:06
github-merge-queue bot pushed a commit that referenced this pull request Mar 17, 2026
@hectorcast-db
Resolve TokenAudience from host metadata for account hosts (#1543)
2a95760 
## 🥞 Stacked PR
Use this
[link](https://github.com/databricks/databricks-sdk-go/pull/1543/files)
to review incremental changes.
-
[**stack/port/resolve-token-audience-from-metadata**](#1543)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1543/files)]
-
[stack/port/gcp-sa-token-non-blocking](#1544)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files/01d8ab7988cf049ece2bf295acc9218f6dd82e07..ab7e3d841888a136a21a2c95549392f137d6b523)]
-
[stack/port/test-environment-type](#1545)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/ab7e3d841888a136a21a2c95549392f137d6b523..0e20fea87196f5b177313bfb6c3ef5c8ec678bf0)]
-
[stack/port/host-metadata-integration-test](#1546)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/0e20fea87196f5b177313bfb6c3ef5c8ec678bf0..f9d041dbd73e531215a30dab6b0441d192f4bfb5)]
-
[stack/port/remove-unified-flag](#1547)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/f9d041dbd73e531215a30dab6b0441d192f4bfb5..086adf0511ffbff5cc9edb9dc5159b5dad9b7299)]
-
[stack/port/gcp-sa-from-metadata](#1548)
[[Files
changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/086adf0511ffbff5cc9edb9dc5159b5dad9b7299..c8a54deafc36e70c86f869231f8b5d09b044f28f)]

---------
## Summary
- Port of Python SDK PR
databricks/databricks-sdk-py#1321
- When host metadata indicates an account host (no workspace_id) and
account_id is present, automatically set `TokenAudience` to the
account_id if not already configured

## Test plan
- `TestApplyHostMetadata_SetsTokenAudienceForAccountHost` — no
workspace_id, has account_id → set
- `TestApplyHostMetadata_NoTokenAudienceForWorkspaceHost` — has
workspace_id → not set
- `TestApplyHostMetadata_DoesNotOverrideExistingTokenAudience` — pre-set
value preserved

NO_CHANGELOG=true

This pull request was AI-assisted by Isaac.
@hectorcast-db
Make GCP SA token refresh non-blocking with warning on failure
6f5dd16 
Port of Python SDK PR #1330. Add serviceToServiceVisitorWithFallback()
which logs a warning and skips the secondary header when the SA token
source fails, instead of returning an error. GoogleDefaultCredentials
now always attempts to create an SA token source regardless of config
type, falling back gracefully on failure. GoogleCredentials also uses
the fallback visitor.

Co-authored-by: Isaac
@hectorcast-db
Consolidate serviceToServiceVisitor and serviceToServiceVisitorWithFa…
bd03847 
…llback into one function
@hectorcast-db hectorcast-db force-pushed the hectorcast-db/stack/port/gcp-sa-token-non-blocking branch from ab7e3d8 to bd03847 Compare March 17, 2026 08:41
@github-actions
Copy link

github-actions bot commented Mar 17, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-go

Inputs:

  • PR number: 1544
  • Commit SHA: bd038478c97820339e8964bfd74457dabfa945ad

Checks will be approved automatically on success.

@hectorcast-db hectorcast-db added this pull request to the merge queue Mar 17, 2026
Merged via the queue into main with commit 146612b Mar 17, 2026
15 checks passed
@hectorcast-db hectorcast-db deleted the hectorcast-db/stack/port/gcp-sa-token-non-blocking branch March 17, 2026 09:03
@hectorcast-db hectorcast-db mentioned this pull request Mar 19, 2026
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tejaskochar-db tejaskochar-db tejaskochar-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hectorcast-db @tejaskochar-db