Skip to content

Make an explicitly selected profile take precedence over auth environment variables#5702

Open
radakam wants to merge 5 commits into
mainfrom
cli-5096-fix-profile-not-respected
Open

Make an explicitly selected profile take precedence over auth environment variables#5702
radakam wants to merge 5 commits into
mainfrom
cli-5096-fix-profile-not-respected

Conversation

@radakam

@radakam radakam commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Why

With an explicit profile (--profile or a bundle's workspace.profile), auth env vars (DATABRICKS_HOST, DATABRICKS_TOKEN, ...) silently shadowed it: the SDK reads env before the config file and never overwrites an already-set field.

Changes

Fixes #5096

When a profile is selected explicitly, use a shared loader chain (databrickscfg.ProfileAuthLoaders) so the profile wins for host/auth/routing, while env still gap-fills only the auth fields the profile leaves empty (e.g. host-only profile + DATABRICKS_TOKEN). Non-auth env vars (e.g. cluster_id) stay env-first via a small ResolveNonAuthFromEnv loader. Wired into MustWorkspaceClient, MustAccountClient, Workspace.Client, and databricks api.

Explicit design choices:

  • Scope: only an explicit profile changes behavior. DATABRICKS_CONFIG_PROFILE keeps the SDK's env-first precedence.
  • Conflicting auth method: a complete auth method in env (e.g. profile PAT + env OAuth client id/secret) still errors with "more than one authorization method configured".
  • SPOG query params: for an explicit profile we skip NormalizeDatabricksConfigFromEnv, so a SPOG-style DATABRICKS_HOST (?o=/?a=) no longer overrides the profile; the profile's host is authoritative.

Tests

  • Unit + acceptance: --profile/workspace.profile wins over auth env; DATABRICKS_CONFIG_PROFILE stays env-first; host-only profile fills its token from env; conflicting-method error.
  • Guard test that fails if an SDK bump adds a new internal (auth:"-") env-backed attribute that hasn't been classified as auth-steering vs. env-first.

@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 12:00 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 12:00 — with GitHub Actions Inactive
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: e16df4f

Run: 28363727902

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 1 13 235 1037 5:42
🟨​ aws windows 7 1 13 237 1035 7:14
💚​ aws-ucws linux 8 13 319 955 4:43
💚​ aws-ucws windows 8 13 321 953 5:18
💚​ azure linux 2 15 235 1036 4:22
💚​ azure windows 2 15 237 1034 3:37
💚​ azure-ucws linux 2 15 321 952 5:17
🔄​ azure-ucws windows 2 2 15 321 950 5:53
💚​ gcp linux 2 15 234 1038 3:49
💚​ gcp windows 2 15 236 1036 3:18
23 interesting tests: 13 SKIP, 7 KNOWN, 2 flaky, 1 RECOVERED
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestFsCpDir ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p
🔄​ TestFsCpDir/dbfs_to_dbfs ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p
💚​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
Top 4 slowest tests (at least 2 minutes):
duration env testname
3:51 aws-ucws windows TestAccept
3:40 azure-ucws windows TestAccept
2:31 azure windows TestAccept
2:28 gcp windows TestAccept

@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 12:26 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 12:26 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 13:05 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 24, 2026 13:05 — with GitHub Actions Inactive
@radakam radakam force-pushed the cli-5096-fix-profile-not-respected branch from fe17837 to ae05b0e Compare June 26, 2026 08:50
@radakam radakam changed the title Make --profile take precedence over auth environment variables Make an explicitly selected profile take precedence over auth environment variables Jun 29, 2026
@radakam radakam force-pushed the cli-5096-fix-profile-not-respected branch from 72b1acb to b2c4d95 Compare June 29, 2026 08:23
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 08:23 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 08:23 — with GitHub Actions Inactive
@radakam radakam marked this pull request as ready for review June 29, 2026 08:24
@github-actions

github-actions Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Approval status: pending

/bundle/ - needs approval

Files: bundle/config/workspace.go, bundle/config/workspace_test.go
Suggested: @denik
Also eligible: @janniklasrose, @pietern, @anton-107, @andrewnester, @shreyas-goenka, @lennartkats-db

/cmd/api/ - needs approval

Files: cmd/api/api.go
Suggested: @simonfaltum
Also eligible: @Divyansh-db, @tanmay-db, @mihaimitrea-db, @renaudhartert-db, @hectorcast-db, @parthban-db, @tejaskochar-db, @chrisst, @rauchy

/cmd/root/ - needs approval

Files: cmd/root/auth.go, cmd/root/auth_test.go
Suggested: @simonfaltum
Also eligible: @Divyansh-db, @tanmay-db, @mihaimitrea-db, @renaudhartert-db, @hectorcast-db, @parthban-db, @tejaskochar-db, @chrisst, @rauchy

/libs/databrickscfg/ - needs approval

Files: libs/databrickscfg/loader.go, libs/databrickscfg/loader_test.go
Suggested: @simonfaltum
Also eligible: @Divyansh-db, @tanmay-db, @mihaimitrea-db, @renaudhartert-db, @hectorcast-db, @parthban-db, @tejaskochar-db, @chrisst, @rauchy

General files (require maintainer)

10 files changed
Based on git history:

  • @simonfaltum -- recent work in cmd/root/, ./, bundle/config/

Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.

@radakam radakam force-pushed the cli-5096-fix-profile-not-respected branch from b2c4d95 to aeb17ab Compare June 29, 2026 08:56
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 08:57 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 08:57 — with GitHub Actions Inactive
@radakam radakam force-pushed the cli-5096-fix-profile-not-respected branch from aeb17ab to 7ce0ce7 Compare June 29, 2026 09:42
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 09:42 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 09:42 — with GitHub Actions Inactive
radakam added 5 commits June 29, 2026 09:43
@radakam
Make --profile take precedence over auth environment variables
74d842c 
When --profile is set explicitly, host and auth credentials from the
profile now win over DATABRICKS_HOST/DATABRICKS_TOKEN and other auth env
vars. Previously the SDK's env-first loader order silently shadowed the
selected profile (#5096).
@radakam
Cover bundle profile and auth_type/discovery_url env precedence
748892d 
Extend the --profile precedence fix (#5096):

- ResolveNonAuthFromEnv now also skips auth_type and discovery_url, which
  are tagged auth:"-" in the SDK and so are invisible to HasAuthAttribute,
  letting DATABRICKS_AUTH_TYPE/DATABRICKS_DISCOVERY_URL shadow the profile.
  It also records the env source so `auth describe` and debug output match
  the SDK loader.
- Workspace.Client uses ResolveNonAuthFromEnv when a profile is set (from
  --profile or workspace.profile) so env auth vars no longer shadow the
  profile for bundle commands.
- Use the reserved .test TLD for new test fixture hosts so the SDK's
  well-known host metadata resolver fast-fails instead of stalling on a
  live network lookup.
@radakam
Let env fill auth fields a selected profile leaves empty
f5ea2e2 
A host-only profile combined with DATABRICKS_TOKEN previously failed because
the profile loader chain stopped at the config file. Append
config.ConfigAttributes after the profile so the environment can fill auth
fields the profile does not provide, while the profile still wins for any
field it sets (#5096).
@radakam
Refine profile precedence handling and extend coverage
e1ce25c 
- Centralize the explicit-profile loader chain in databrickscfg.ProfileAuthLoaders
  and extract applyProfileAuthPrecedence so all call sites share one rule.
- Skip host, routing IDs (workspace_id/account_id) and SDK-internal auth-steering
  env attrs; guard the classification with a test that fails on SDK drift.
- Apply profile precedence to `databricks api --profile`.
- Let env gap-fill auth fields a host-only profile leaves empty.
- Add bundle host+profile coverage and acceptance tests; clarify rationale comments.
@radakam
Trim verbose comments to keep only necessary rationale
e16df4f
@radakam radakam force-pushed the cli-5096-fix-profile-not-respected branch from 7ce0ce7 to e16df4f Compare June 29, 2026 09:53
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 09:53 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is June 29, 2026 09:53 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CLI profile not respected

2 participants

@radakam @eng-dev-ecosystem-bot