moomindani commented on code in PR #69509:
URL: https://github.com/apache/airflow/pull/69509#discussion_r3567557364


##########
providers/databricks/src/airflow/providers/databricks/hooks/databricks_base.py:
##########
@@ -917,13 +926,17 @@ def _get_federation_subject_token(self) -> tuple[str, str 
| None]:
         """
         Resolve the OIDC JWT to exchange for a Databricks token (RFC 8693 
``subject_token``).
 
-        Two subject-token sources are supported:
+        Three subject-token sources are supported:
 
         * ``federated_token_provider`` -- a dotted path to a ``Callable[[], 
str]`` that returns
           the JWT. The token is obtained in-process and never written to disk, 
so a control
           plane can vend a short-lived, per-workload identity token for the 
exchange. ``client_id``
           is optional here: supply it in the extra for a service principal 
federation policy, or
           omit it for an account-wide federation policy.
+        * AWS IAM (``federated_aws``) -- mint an AWS-signed OIDC JWT via AWS 
STS

Review Comment:
   Non-blocking: the sibling `_get_federated_databricks_token` docstring 
(below, outside this diff) still describes only two subject-token sources — 
"supplied either by a `federated_token_provider` callable or by the pod's 
Kubernetes service account". Worth updating it to mention the AWS path in the 
same way you updated this one.
   
   ---
   Drafted-by: Claude Code (Fable 5); reviewed by @moomindani before posting



##########
providers/databricks/src/airflow/providers/databricks/hooks/databricks_base.py:
##########
@@ -936,6 +949,8 @@ def _get_federation_subject_token(self) -> tuple[str, str | 
None]:
             return self._resolve_supplied_subject_token(provider), 
self.databricks_conn.extra_dejson.get(
                 "client_id"
             )
+        if self._is_aws_federation():

Review Comment:
   Non-blocking: if a connection sets both `login=federated_k8s` and 
`federated_aws: true` in extra, `_get_token` takes the Kubernetes branch and 
logs "Using Kubernetes OIDC token federation", but this method resolves the AWS 
token first — so the log and the actual subject-token source disagree. A 
one-line precedence note in the docstring (or an explicit guard rejecting the 
combination) would avoid confusion in misconfigured setups.
   
   ---
   Drafted-by: Claude Code (Fable 5); reviewed by @moomindani before posting



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to