Make GCP SA token refresh non-blocking with warning on failure by hectorcast-db · Pull Request #718 · databricks/databricks-sdk-java

hectorcast-db · 2026-03-19T10:13:50Z

🥞 Stacked PR

Use this link to review incremental changes.

hectorcast-db/stack/port-5-token-audience-from-metadata [Files changed]
- hectorcast-db/stack/port-6-gcp-sa-nonblocking [Files changed]
  - hectorcast-db/stack/port-7-integration-test-metadata [Files changed]
    - hectorcast-db/stack/port-8-remove-unified-flag [Files changed]

Summary

Port of Go SDK #1544.

Makes the GCP SA access token (X-Databricks-GCP-SA-Access-Token) refresh non-blocking in both GoogleIdCredentialsProvider and GoogleCredentialsCredentialsProvider. On failure, a warning is logged and the header is skipped instead of throwing an exception. The token is now always attempted regardless of client type (previously only for ACCOUNT clients).

Why: On unified hosts, the config type may not perfectly distinguish account vs workspace operations. Making the SA token optional ensures GCP auth doesn't fail when the SA token isn't needed.

Changes:

GoogleIdCredentialsProvider: removed ClientType.ACCOUNT guard, catch IOException and log warning
GoogleCredentialsCredentialsProvider: same pattern

NO_CHANGELOG=true

Test plan

Verify GCP auth works for account and workspace clients
Verify warning is logged when SA token refresh fails

## 🥞 Stacked PR - [**#710 Add cloud field to HostMetadata**](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [#711 Fix GetWorkspaceClient for unified account hosts](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1512](databricks/databricks-sdk-go#1512). Adds a `cloud` field to `HostMetadata` that is populated from the `/.well-known/databricks-config` discovery endpoint. **Why:** Today, `isAws()`, `isAzure()`, and `isGcp()` infer cloud type by suffix-matching the workspace hostname against a hardcoded list of known DNS zones. This works for standard deployments but fails for non-standard hostnames (custom vanity domains, unified hosts, etc.). The discovery endpoint is the authoritative source and already returns a `cloud` field, but the SDK was discarding it. **Changes:** - `HostMetadata`: new `cloud` field (`@JsonProperty("cloud")`), getter, and 4-arg constructor - `HostMetadataTest`: deserialization with/without cloud, constructor tests `NO_CHANGELOG=true` ## Test plan - [x] `HostMetadataTest`: 4 tests for cloud field deserialization and constructors

## 🥞 Stacked PR - [#710 Add cloud field to HostMetadata](#710) [[Files](https://github.com/databricks/databricks-sdk-java/pull/710/files)] - [**#711 Fix GetWorkspaceClient for unified account hosts**](#711) [[Files](https://github.com/databricks/databricks-sdk-java/pull/711/files)] - [#712 Add test for GetWorkspaceClient with SPOG host](#712) [[Files](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [#713 Call resolveHostMetadata on Config init](#713) [[Files](https://github.com/databricks/databricks-sdk-java/pull/713/files)] - [#714 Resolve TokenAudience from host metadata for account hosts](#714) [[Files](https://github.com/databricks/databricks-sdk-java/pull/714/files)] - [#718 Make GCP SA token refresh non-blocking](#718) [[Files](https://github.com/databricks/databricks-sdk-java/pull/718/files)] - [#719 Add integration test for host metadata resolution](#719) [[Files](https://github.com/databricks/databricks-sdk-java/pull/719/files)] - [#720 Remove unified flag usage, rely on host metadata](#720) [[Files](https://github.com/databricks/databricks-sdk-java/pull/720/files)] --------- ## Summary Port of Go SDK [#1517](databricks/databricks-sdk-go#1517). Fixes `getWorkspaceClient()` for unified account hosts that don't follow the standard environment DNS zone pattern (e.g. SPOG/unified hosts). Previously, the workspace host was always constructed via `getDeploymentUrl(ws.getDeploymentName())`, which blindly appends the environment's DNS zone. For unified hosts where the account and workspace share the same host, this produces an incorrect URL. **Changes:** - `AccountClient.getWorkspaceClient()`: clones config instead of mutating `this.config` for unified hosts **Note:** `AccountClient.java` is a generated file. The template needs to be updated. `NO_CHANGELOG=true` ## Test plan - [x] `AccountClientTest`: existing tests pass

## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-java/pull/712/files) to review incremental changes. - [**hectorcast-db/stack/port-3-test-get-workspace-client-spog**](#712) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [hectorcast-db/stack/port-4-resolve-metadata-on-init](#713) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff)] - [hectorcast-db/stack/port-5-token-audience-from-metadata](#714) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/714/files/f5a4892cb3877c74bd8cff5979a3a2d177d304ff..513d3f937652fe2a92564fddbb50a46b0527cf97)] - [hectorcast-db/stack/port-6-gcp-sa-nonblocking](#718) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/718/files/513d3f937652fe2a92564fddbb50a46b0527cf97..560f2173f1ac8880634d9ad874a72824903a91e9)] - [hectorcast-db/stack/port-7-integration-test-metadata](#719) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/719/files/560f2173f1ac8880634d9ad874a72824903a91e9..f79a3e876905d11de94c5f8c589b2af702397cd3)] - [hectorcast-db/stack/port-8-remove-unified-flag](#720) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/720/files/f79a3e876905d11de94c5f8c589b2af702397cd3..3c63fc8995cba2381947a52f485bef2cb17693a3)] --------- ## Summary Port of Go SDK [#1518](databricks/databricks-sdk-go#1518). Adds test for `getWorkspaceClient()` with SPOG host to verify that the config is cloned (not mutated) and multiple calls produce independent WorkspaceClients. **Test:** `testGetWorkspaceClientForSpogHostDoesNotMutateAccountConfig` — creates two workspace clients from the same AccountClient, verifies each has its own workspaceId and the account config is unchanged. `NO_CHANGELOG=true` ## Test plan - [x] `AccountClientTest`: 4 tests pass

## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff) to review incremental changes. - [hectorcast-db/stack/port-3-test-get-workspace-client-spog](#712) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/712/files)] - [**hectorcast-db/stack/port-4-resolve-metadata-on-init**](#713) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/713/files/12f05320deaf1e2d96229e7bb280ecf7c59b25ce..f5a4892cb3877c74bd8cff5979a3a2d177d304ff)] - [hectorcast-db/stack/port-5-token-audience-from-metadata](#714) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/714/files/f5a4892cb3877c74bd8cff5979a3a2d177d304ff..513d3f937652fe2a92564fddbb50a46b0527cf97)] - [hectorcast-db/stack/port-6-gcp-sa-nonblocking](#718) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/718/files/513d3f937652fe2a92564fddbb50a46b0527cf97..560f2173f1ac8880634d9ad874a72824903a91e9)] - [hectorcast-db/stack/port-7-integration-test-metadata](#719) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/719/files/560f2173f1ac8880634d9ad874a72824903a91e9..f79a3e876905d11de94c5f8c589b2af702397cd3)] - [hectorcast-db/stack/port-8-remove-unified-flag](#720) [[Files changed](https://github.com/databricks/databricks-sdk-java/pull/720/files/f79a3e876905d11de94c5f8c589b2af702397cd3..3c63fc8995cba2381947a52f485bef2cb17693a3)] --------- ## Summary Port of Go SDK [#1542](databricks/databricks-sdk-go#1542). Calls `resolveHostMetadata()` during config `resolve()` to populate `accountId`, `workspaceId`, and `discoveryUrl` from the host's `/.well-known/databricks-config` endpoint. Failures are logged at debug level and do not block initialization. **Why:** Previously, host metadata was only resolved on explicit call. Now it's resolved automatically during config init, so OIDC endpoints, account IDs, and workspace IDs are populated from the authoritative discovery endpoint. **Changes:** - `DatabricksConfig.innerResolve()`: calls `tryResolveHostMetadata()` after HTTP client init - `tryResolveHostMetadata()`: catches `Throwable` (not just Exception) to handle mock assertion errors in tests - `clone()`: skips static fields (needed for new Logger) - Tests: FixtureServer-based tests updated to add `/.well-known/databricks-config` fixture `NO_CHANGELOG=true` ## Test plan - [x] `DatabricksConfigTest`: 45+ tests pass - [x] All 1086 tests pass

Port of Go SDK #1544. The GCP SA access token (X-Databricks-GCP-SA-Access-Token) refresh is now non-blocking in both GoogleIdCredentialsProvider and GoogleCredentialsCredentialsProvider. On failure, a warning is logged and the header is skipped instead of throwing an exception. The token is also now always attempted regardless of client type (not just for ACCOUNT clients). Co-authored-by: Isaac

tejaskochar-db

changes lgtm, but there aren't any tests

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 10:13 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 10:14 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from f8a984d to f1240ce Compare March 19, 2026 11:53

hectorcast-db force-pushed the hectorcast-db/stack/port-6-gcp-sa-nonblocking branch from 7a65c41 to 2bddb2c Compare March 19, 2026 11:53

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 11:53 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 19, 2026 11:55 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-6-gcp-sa-nonblocking branch from 2bddb2c to fae703a Compare March 23, 2026 09:28

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 09:28 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 09:29 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-6-gcp-sa-nonblocking branch from fae703a to fcdaae6 Compare March 23, 2026 10:29

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 4113588 to 8942762 Compare March 23, 2026 10:29

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 10:29 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 10:30 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-6-gcp-sa-nonblocking branch from fcdaae6 to 560f217 Compare March 23, 2026 13:04

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 8942762 to 513d3f9 Compare March 23, 2026 13:04

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 13:04 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 23, 2026 13:06 — with GitHub Actions Inactive

hectorcast-db force-pushed the hectorcast-db/stack/port-6-gcp-sa-nonblocking branch from 560f217 to ed4ef1b Compare March 24, 2026 11:45

hectorcast-db force-pushed the hectorcast-db/stack/port-5-token-audience-from-metadata branch from 513d3f9 to 2dd4a6d Compare March 24, 2026 11:45

hectorcast-db temporarily deployed to test-trigger-is March 24, 2026 11:45 — with GitHub Actions Inactive

hectorcast-db requested a review from tejaskochar-db March 24, 2026 11:46

hectorcast-db temporarily deployed to test-trigger-is March 24, 2026 11:46 — with GitHub Actions Inactive

hectorcast-db temporarily deployed to test-trigger-is March 24, 2026 11:47 — with GitHub Actions Inactive

hectorcast-db marked this pull request as ready for review March 24, 2026 11:47

tejaskochar-db approved these changes Mar 24, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make GCP SA token refresh non-blocking with warning on failure#718

Make GCP SA token refresh non-blocking with warning on failure#718
hectorcast-db wants to merge 1 commit intohectorcast-db/stack/port-5-token-audience-from-metadatafrom
hectorcast-db/stack/port-6-gcp-sa-nonblocking

hectorcast-db commented Mar 19, 2026 •

edited

Loading

Uh oh!

tejaskochar-db left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

hectorcast-db commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🥞 Stacked PR

Summary

Test plan

Uh oh!

tejaskochar-db left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

hectorcast-db commented Mar 19, 2026 •

edited

Loading