databricks · hectorcast-db · Mar 17, 2026 · Mar 16, 2026 · Mar 17, 2026
diff --git a/config/auth_azure_cli.go b/config/auth_azure_cli.go
@@ -52,7 +52,7 @@ func (c AzureCliCredentials) getVisitor(ctx context.Context, cfg *Config, inner
 		return azureVisitor(cfg, refreshableVisitor(inner, opts...)), nil
 	}
 	management := azureReuseTokenSource(t, ts, opts...)
-	return azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, opts...)), nil
+	return azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, false, opts...)), nil
 }
 
 func (c AzureCliCredentials) Configure(ctx context.Context, cfg *Config) (credentials.CredentialsProvider, error) {

diff --git a/config/auth_azure_client_secret.go b/config/auth_azure_client_secret.go
@@ -57,6 +57,6 @@ func (c AzureClientSecretCredentials) Configure(ctx context.Context, cfg *Config
 	opts := cacheOptions(cfg)
 	inner := azureReuseTokenSource(nil, c.tokenSourceFor(ctx, cfg, aadEndpoint, env.AzureApplicationID), opts...)
 	management := azureReuseTokenSource(nil, c.tokenSourceFor(ctx, cfg, aadEndpoint, managementEndpoint), opts...)
-	visitor := azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, opts...))
+	visitor := azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, false, opts...))
 	return credentials.NewOAuthCredentialsProvider(visitor, inner.Token), nil
 }
diff --git a/config/auth_azure_msi.go b/config/auth_azure_msi.go
@@ -46,7 +46,7 @@ func (c AzureMsiCredentials) Configure(ctx context.Context, cfg *Config) (creden
 	opts := cacheOptions(cfg)
 	inner := azureReuseTokenSource(nil, c.tokenSourceFor(ctx, cfg, "", env.AzureApplicationID), opts...)
 	management := azureReuseTokenSource(nil, c.tokenSourceFor(ctx, cfg, "", env.AzureServiceManagementEndpoint()), opts...)
-	visitor := azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, opts...))
+	visitor := azureVisitor(cfg, serviceToServiceVisitor(inner, management, xDatabricksAzureSpManagementToken, false, opts...))
 	return credentials.NewOAuthCredentialsProvider(visitor, inner.Token), nil
 }
 

diff --git a/config/auth_gcp_google_credentials.go b/config/auth_gcp_google_credentials.go
@@ -42,7 +42,7 @@ func (c GoogleCredentials) Configure(ctx context.Context, cfg *Config) (credenti
 		return nil, fmt.Errorf("could not obtain OAuth2 token from JSON: %w", err)
 	}
 	logger.Infof(ctx, "Using Google Credentials")
-	visitor := serviceToServiceVisitor(inner, creds.TokenSource, "X-Databricks-GCP-SA-Access-Token", cacheOptions(cfg)...)
+	visitor := serviceToServiceVisitor(inner, creds.TokenSource, "X-Databricks-GCP-SA-Access-Token", true, cacheOptions(cfg)...)
 	return credentials.NewOAuthCredentialsProvider(visitor, inner.Token), nil
 }
 

diff --git a/config/auth_gcp_google_id.go b/config/auth_gcp_google_id.go
@@ -29,12 +29,8 @@ func (c GoogleDefaultCredentials) Configure(ctx context.Context, cfg *Config) (c
 		return nil, err
 	}
 	opts := cacheOptions(cfg)
-	if cfg.ConfigType() == WorkspaceConfig {
-		logger.Infof(ctx, "Using Google Default Application Credentials for Workspace")
-		visitor := refreshableVisitor(inner, opts...)
-		return credentials.CredentialsProviderFn(visitor), nil
-	}
-	// source for generateAccessToken
+	// Always attempt to create SA token source for the secondary header.
+	// If it fails, fall back to refreshableVisitor with a warning.
 	platform, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
 		TargetPrincipal: cfg.GoogleServiceAccount,
 		Scopes: []string{
@@ -43,10 +39,12 @@ func (c GoogleDefaultCredentials) Configure(ctx context.Context, cfg *Config) (c
 		},
 	}, c.opts...)
 	if err != nil {
-		return nil, err
+		logger.Warnf(ctx, "Failed to create GCP SA access token source: %v. Proceeding without SA token.", err)
+		visitor := refreshableVisitor(inner, opts...)
+		return credentials.CredentialsProviderFn(visitor), nil
 	}
-	logger.Infof(ctx, "Using Google Default Application Credentials for Accounts API")
-	visitor := serviceToServiceVisitor(inner, platform, "X-Databricks-GCP-SA-Access-Token", opts...)
+	logger.Infof(ctx, "Using Google Default Application Credentials")
+	visitor := serviceToServiceVisitor(inner, platform, "X-Databricks-GCP-SA-Access-Token", true, opts...)
 	return credentials.NewOAuthCredentialsProvider(visitor, inner.Token), nil
 }
 

diff --git a/config/oauth_visitors.go b/config/oauth_visitors.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/databricks/databricks-sdk-go/config/experimental/auth"
 	"github.com/databricks/databricks-sdk-go/config/experimental/auth/authconv"
+	"github.com/databricks/databricks-sdk-go/logger"
 	"golang.org/x/oauth2"
 )
 
@@ -19,9 +20,11 @@ func cacheOptions(cfg *Config) []auth.Option {
 }
 
 // serviceToServiceVisitor returns a visitor that sets the Authorization header
-// to the token from the auth token source and the provided secondary header to
-// the token from the secondary token source.
-func serviceToServiceVisitor(primary, secondary oauth2.TokenSource, secondaryHeader string, opts ...auth.Option) func(r *http.Request) error {
+// to the token from the primary token source and the provided secondary header
+// to the token from the secondary token source. If secondaryOptional is true,
+// a failure to get the secondary token logs a warning and skips the header
+// instead of returning an error.
+func serviceToServiceVisitor(primary, secondary oauth2.TokenSource, secondaryHeader string, secondaryOptional bool, opts ...auth.Option) func(r *http.Request) error {
 	refreshableAuth := auth.NewCachedTokenSource(authconv.AuthTokenSource(primary), opts...)
 	refreshableSecondary := auth.NewCachedTokenSource(authconv.AuthTokenSource(secondary), opts...)
 	return func(r *http.Request) error {
@@ -33,6 +36,10 @@ func serviceToServiceVisitor(primary, secondary oauth2.TokenSource, secondaryHea
 
 		cloud, err := refreshableSecondary.Token(context.Background())
 		if err != nil {
+			if secondaryOptional {
+				logger.Warnf(r.Context(), "Failed to get secondary token for %s header: %v. Skipping.", secondaryHeader, err)
+				return nil
+			}
 			return fmt.Errorf("cloud token: %w", err)
 		}
 		r.Header.Set(secondaryHeader, cloud.AccessToken)

diff --git a/config/oauth_visitors_test.go b/config/oauth_visitors_test.go
@@ -1,10 +1,13 @@
 package config
 
 import (
+	"fmt"
+	"net/http"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 )
 
@@ -31,3 +34,62 @@ func TestAzureReuseTokenSource(t *testing.T) {
 	assert.NoError(t, err)
 	assert.False(t, token.Valid())
 }
+
+type staticTokenSource struct {
+	token *oauth2.Token
+	err   error
+}
+
+func (s *staticTokenSource) Token() (*oauth2.Token, error) {
+	return s.token, s.err
+}
+
+func TestServiceToServiceVisitorWithFallback_BothSucceed(t *testing.T) {
+	primary := &staticTokenSource{token: &oauth2.Token{AccessToken: "primary-token"}}
+	secondary := &staticTokenSource{token: &oauth2.Token{AccessToken: "secondary-token"}}
+	visitor := serviceToServiceVisitor(primary, secondary, "X-Secondary", true)
+
+	req, err := http.NewRequest("GET", "https://example.com", nil)
+	require.NoError(t, err)
+	err = visitor(req)
+	require.NoError(t, err)
+	assert.Equal(t, "Bearer primary-token", req.Header.Get("Authorization"))
+	assert.Equal(t, "secondary-token", req.Header.Get("X-Secondary"))
+}
+
+func TestServiceToServiceVisitorWithFallback_SecondaryFails_SkipsHeader(t *testing.T) {
+	primary := &staticTokenSource{token: &oauth2.Token{AccessToken: "primary-token"}}
+	secondary := &staticTokenSource{err: fmt.Errorf("secondary failed")}
+	visitor := serviceToServiceVisitor(primary, secondary, "X-Secondary", true)
+
+	req, err := http.NewRequest("GET", "https://example.com", nil)
+	require.NoError(t, err)
+	err = visitor(req)
+	require.NoError(t, err)
+	assert.Equal(t, "Bearer primary-token", req.Header.Get("Authorization"))
+	assert.Empty(t, req.Header.Get("X-Secondary"))
+}
+
+func TestServiceToServiceVisitor_SecondaryFails_NotOptional_ReturnsError(t *testing.T) {
+	primary := &staticTokenSource{token: &oauth2.Token{AccessToken: "primary-token"}}
+	secondary := &staticTokenSource{err: fmt.Errorf("secondary failed")}
+	visitor := serviceToServiceVisitor(primary, secondary, "X-Secondary", false)
+
+	req, err := http.NewRequest("GET", "https://example.com", nil)
+	require.NoError(t, err)
+	err = visitor(req)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "cloud token")
+}
+
+func TestServiceToServiceVisitorWithFallback_PrimaryFails_ReturnsError(t *testing.T) {
+	primary := &staticTokenSource{err: fmt.Errorf("primary failed")}
+	secondary := &staticTokenSource{token: &oauth2.Token{AccessToken: "secondary-token"}}
+	visitor := serviceToServiceVisitor(primary, secondary, "X-Secondary", true)
+
+	req, err := http.NewRequest("GET", "https://example.com", nil)
+	require.NoError(t, err)
+	err = visitor(req)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "inner token")
+}