Make GCP SA token refresh non-blocking with warning on failure#718
Draft
hectorcast-db wants to merge 1 commit intohectorcast-db/stack/port-5-token-audience-from-metadatafrom
Conversation
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
This was referenced Mar 19, 2026
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 19, 2026
## 🥞 Stacked PR - [**#710 Add cloud field to HostMetadata**](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [#711 Fix GetWorkspaceClient for unified account hosts](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1512](databricks/databricks-sdk-go#1512). Adds a `cloud` field to `HostMetadata` that is populated from the `/.well-known/databricks-config` discovery endpoint. **Why:** Today, `isAws()`, `isAzure()`, and `isGcp()` infer cloud type by suffix-matching the workspace hostname against a hardcoded list of known DNS zones. This works for standard deployments but fails for non-standard hostnames (custom vanity domains, unified hosts, etc.). The discovery endpoint is the authoritative source and already returns a `cloud` field, but the SDK was discarding it. **Changes:** - `HostMetadata`: new `cloud` field (`@JsonProperty("cloud")`), getter, and 4-arg constructor - `HostMetadataTest`: deserialization with/without cloud, constructor tests `NO_CHANGELOG=true` ## Test plan - [x] `HostMetadataTest`: 4 tests for cloud field deserialization and constructors
Port of Go SDK #1544. The GCP SA access token (X-Databricks-GCP-SA-Access-Token) refresh is now non-blocking in both GoogleIdCredentialsProvider and GoogleCredentialsCredentialsProvider. On failure, a warning is logged and the header is skipped instead of throwing an exception. The token is also now always attempted regardless of client type (not just for ACCOUNT clients). Co-authored-by: Isaac
hectorcast-db
force-pushed
the
hectorcast-db/stack/port-5-token-audience-from-metadata
branch
from
f8a984d to
f1240ce
Compare
hectorcast-db
force-pushed
the
hectorcast-db/stack/port-6-gcp-sa-nonblocking
branch
from
7a65c41 to
2bddb2c
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 19, 2026
## 🥞 Stacked PR - [#710 Add cloud field to HostMetadata](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [**#711 Fix GetWorkspaceClient for unified account hosts**](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1517](databricks/databricks-sdk-go#1517). Fixes `getWorkspaceClient()` for unified account hosts that don't follow the standard environment DNS zone pattern (e.g. SPOG/unified hosts). Previously, the workspace host was always constructed via `getDeploymentUrl(ws.getDeploymentName())`, which blindly appends the environment's DNS zone. For unified hosts where the account and workspace share the same host, this produces an incorrect URL. **Changes:** - `AccountClient.getWorkspaceClient()`: clones config instead of mutating `this.config` for unified hosts **Note:** `AccountClient.java` is a generated file. The template needs to be updated. `NO_CHANGELOG=true` ## Test plan - [x] `AccountClientTest`: existing tests pass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🥞 Stacked PR
Summary
Port of Go SDK #1544.
Makes the GCP SA access token (
X-Databricks-GCP-SA-Access-Token) refresh non-blocking in bothGoogleIdCredentialsProviderandGoogleCredentialsCredentialsProvider. On failure, a warning is logged and the header is skipped instead of throwing an exception. The token is now always attempted regardless of client type (previously only for ACCOUNT clients).Why: On unified hosts, the config type may not perfectly distinguish account vs workspace operations. Making the SA token optional ensures GCP auth doesn't fail when the SA token isn't needed.
Changes:
GoogleIdCredentialsProvider: removedClientType.ACCOUNTguard, catchIOExceptionand log warningGoogleCredentialsCredentialsProvider: same patternNO_CHANGELOG=trueTest plan