Don't fall back to the default profile when a host is set via the environment#5616
Merged
Merged
Conversation
resolveDefaultProfile pinned cfg.Profile to [__settings__].default_profile (or [DEFAULT]) even when DATABRICKS_HOST was already set in the environment. That defeats the SDK config-file loader's skip-guard, which ignores .databrickscfg only while cfg.Profile is empty, so the profile's credentials get merged with the environment config and auth fails with "more than one authorization method configured". Skip default-profile resolution when DATABRICKS_HOST is set, mirroring the SDK behavior so an explicitly configured host and token win. Co-authored-by: Isaac
Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
The first version skipped default-profile resolution whenever DATABRICKS_HOST was set. That was too broad: it also disabled pinning when the default profile targets the same host as the environment, which is the case `auth describe` relies on (acceptance test cmd/auth/describe/default-profile) and which #5280 intentionally pins to keep the OAuth cache key correct. Skip pinning only when DATABRICKS_HOST is set and differs from the resolved default profile's host. A profile pointing at a different host is for another workspace, so pinning it merges conflicting credentials. When the hosts match there is no conflict and the profile is still pinned. Adds databrickscfg.SameHost and databrickscfg.ProfileHost helpers. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
Integration test reportCommit: 57ffbd4
22 interesting tests: 15 SKIP, 7 KNOWN
Top 24 slowest tests (at least 2 minutes):
|
Replaces the host-comparison guard with the simpler rule from the SDK and PR review: when DATABRICKS_HOST is configured in the environment, never pin a default profile. The host-comparison approach still merged conflicting auth when a same-host default profile used a different auth method (e.g. basic or oauth vs the env PAT), which the GPT review flagged. - resolveDefaultProfile: return early when DATABRICKS_HOST is set. - Remove the now-unused SameHost and ProfileHost helpers and their tests. - auth describe: with DATABRICKS_HOST set, the default profile is no longer pinned; regenerate cmd/auth/describe/default-profile output accordingly. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
| @@ -1,5 +1,5 @@ | |||
|
|
|||
| === Describe without --profile (should use default) | |||
| === Describe without --profile (DATABRICKS_HOST takes precedence over default_profile) | |||
Contributor
There was a problem hiding this comment.
do we also have one where DATABRICKS_HOST is unset?
Member
Author
There was a problem hiding this comment.
Good call. Added a second scenario to this test (57ffbd4): with DATABRICKS_HOST unset, auth describe resolves and uses the default profile (profile: my-workspace, host/token sourced "from the config file").
Add a second scenario to cmd/auth/describe/default-profile showing that the default profile is resolved and used when DATABRICKS_HOST is not set in the environment, complementing the precedence case where it is set. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
janniklasrose
approved these changes
Jun 16, 2026
Collaborator
Integration test reportCommit: bc4ac2f
473 interesting tests: 390 MISS, 43 FAIL, 21 RECOVERED, 8 KNOWN, 5 flaky, 4 PANIC, 2 SKIP
Top 50 slowest tests (at least 2 minutes):
|
deco-sdk-tagging Bot
added a commit
that referenced
this pull request
Jun 17, 2026
## Release v1.4.0 ### CLI * Improved error messages for `ssh connect`: when an SSH connection attempt fails, the client now fetches and prints the server's recent error logs ([#5555](#5555)). * Increase the SSH server startup timeout from 10 to 45 minutes when a GPU accelerator is requested via `databricks ssh connect --accelerator` ([#5569](#5569)). * Fix authentication falling back to the default profile in `.databrickscfg` when a host is already configured via the environment (e.g. `DATABRICKS_HOST` with `DATABRICKS_TOKEN`) ([#5616](#5616)). * ssh: fix opening remote environment in Cursor, which previously hung on default-extension install and never opened the editor ([#5619](#5619)). * Improve the error shown when `databricks labs install` cannot find a project's `labs.yml`: the message now explains that either the requested version does not exist or the project is not installable with the CLI, and links to the repository ([#5559](#5559)). ### Bundles * Remove API enum values and types that are still in development from the `databricks-bundles` Python package; these were never accepted by the backend ([#5484](#5484)). * direct: Fix resolving a resource reference that is used more than once within the same field ([#5558](#5558)). * Bundle variable references now accept Unicode letters in path segments (e.g. `${var.变量}`). ([#5532](#5532)) * Ignore remote changes for vector search direct_access_index_spec.schema_json to prevent drift when the backend normalizes the schema ([#5481](#5481)). * Remove hidden, never-functional `--existing-dashboard-id`, `--existing-dashboard-path`, `--existing-alert-id`, and `--existing-genie-space-id` alias flags from `bundle generate`; use the documented `--existing-id` / `--existing-path` flags instead ([#5591](#5591)). * engine/direct: Fix WAL corruption after two consecutive failed deploys ([#5606](#5606)). * engine/direct: Don't open the deployment state WAL when a deploy's plan fails ([#5607](#5607)). * Ignore unity catalog managed schema property defaults to avoid unnecessary drift ([#5195](#5195)). * Add `postgres_roles` and `postgres_databases` resources to create Postgres roles and databases on a Lakebase branch ([#5467](#5467), [#5627](#5627)). * direct: Stop spurious recreate/rename on redeploy when the backend normalizes a resource's name-based ID (e.g. Unity Catalog lowercasing a schema or volume name) ([#5599](#5599)). * Fix the generated pipeline README to suggest `databricks bundle run <pipeline> --refresh <table>` for running a single transformation; the previously documented `--select` flag is not supported by `bundle run` ([#5252](#5252)).
artchen-db
pushed a commit
to artchen-db/cli
that referenced
this pull request
Jun 18, 2026
## Changes Preserve ConfigFile ## Why Without it, the config file set to /dev/null by `deco env run` isn't respected and falls back to developer's `~/.databrickscfg`. If that one has `[__settings__].default_profile` set, calls fail. databricks#5616 attempted to fix this, but if the host is in .databrickscfg with no auth in cache, the token still isn't respected. Once that is solved, we can revert this PR ## Tests `deco env run`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
When
DATABRICKS_HOSTandDATABRICKS_TOKENare set in the environment, the CLI was still falling back to the default profile from.databrickscfgand merging its credentials with the environment config, so commands could fail withmore than one authorization method configured.This surfaced on #5612: a cloud proxy run lost
DATABRICKS_CONFIG_FILE, the CLI subprocess read the developer's real~/.databrickscfg, and because that file had[__settings__].default_profileset, auth broke even though host and token were provided.Why it happens
The Go SDK's config-file loader already ignores
.databrickscfgwhen a host is configured and no profile is selected, but only whilecfg.Profileis empty (configFileLoader.Configure). The CLI'sresolveDefaultProfilepinscfg.Profileto the default profile before the SDK runs, which defeats that skip-guard: the SDK then loads the profile and merges its credentials with the environment config, producing the conflict.Changes
Before:
resolveDefaultProfile(used byMustWorkspaceClientandMustAccountClient) pinnedcfg.Profileto the resolved default profile whenever no profile was requested via--profile/DATABRICKS_CONFIG_PROFILE, regardless of the environment.Now: it returns early when
DATABRICKS_HOSTis set. Authentication is then fully determined by the environment, so an explicit host and token win and the default profile is not pinned. This mirrors the SDK's own behavior. Pinning was only ever needed to keepcfg.Profilein sync for the OAuth cache key when the SDK actually reads a profile, which is exactly the case where no host is set in the environment.User-visible effect:
auth describewithDATABRICKS_HOSTset now reportsprofile: defaultinstead of the configureddefault_profile, since the environment, not the profile, determines auth. Thecmd/auth/describe/default-profileacceptance test is updated to reflect this.cmd/api/api.gopins the default profile inline with the same gap; that is left for a separate change to keep this PR focused.cmd/auth/token.gois intentionally excluded since it resolves which profile to mint a token for.Test plan
TestMustWorkspaceClientEnvHostSkipsDefaultProfile: withDATABRICKS_HOST+DATABRICKS_TOKENset and a same-host default profile that uses basic auth, the profile is not pinned and auth succeeds. Verified it fails without the fix (more than one authorization method configured: basic and pat).cmd/auth/...,auth/...,cmd/api/...);cmd/auth/describe/default-profileoutput regenerated../task fmt-q,./task checks,./task lint-qclean.This pull request and its description were written by Isaac.