mwojtyczka commented on code in PR #61458:
URL: https://github.com/apache/airflow/pull/61458#discussion_r2770632680
##########
providers/databricks/docs/connections/databricks.rst:
##########
@@ -91,6 +100,244 @@ Extra (optional)
* ``azure_resource_id``: optional Resource ID of the Azure Databricks
workspace (required if managed identity isn't
a user inside workspace)
+ The following parameters are necessary if using authentication with
Kubernetes OIDC token federation:
+
+ * ``federated_k8s``: set ``login`` to ``"federated_k8s"`` or add this as
extra parameter. When enabled, the hook will fetch a JWT token from Kubernetes
and exchange it for a Databricks OAuth token using the `OIDC token exchange API
<https://docs.databricks.com/aws/en/dev-tools/auth/oauth-federation-exchange.html>`_.
This authentication method only works when Airflow is running inside a
Kubernetes cluster (e.g., AWS EKS, Azure AKS, Google GKE).
+
+ **Two methods are supported for obtaining the Kubernetes JWT token:**
+
+ **Method 1: Projected Volume**
+
+ * ``k8s_projected_volume_token_path``: (optional) path to a [Kubernetes
projected volume service account
token](https://kubernetes.io/docs/concepts/configuration/secret/#projected-volume).
When configured, the hook will read the token directly from this file. The
token must be configured in your Pod spec with the appropriate audience and
expiration. This is the recommended method as it's simpler and more efficient
(no API calls). See the example Pod configuration below.
Review Comment:
corrected
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
