Refactor auth env to use CLI's resolved auth context

Use root.MustAnyClient and auth.Env instead of custom profile/host
resolution logic. This makes auth env return the environment variables
for the exact identity the CLI is authenticated as, including bundle
context and all standard auth resolution paths.

Breaking changes:
- Removed command-specific --host and --profile flags (use the
  inherited flags from the parent/root commands)
- JSON output is a flat map instead of wrapped in {"env": ...}
- Only the primary env var per attribute is emitted (via auth.Env)

Author: simonfaltum

cmd/auth/env.go

@@ -1,150 +1,48 @@
 package auth
 
 import (
-	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io/fs"
-	"net/http"
-	"net/url"
+	"maps"
+	"slices"
 	"strings"
 
 	"github.com/databricks/cli/cmd/root"
-	"github.com/databricks/cli/libs/databrickscfg/profile"
+	"github.com/databricks/cli/libs/auth"
+	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/cli/libs/flags"
-	"github.com/databricks/databricks-sdk-go/config"
 	"github.com/spf13/cobra"
-	"gopkg.in/ini.v1"
 )
 
-func canonicalHost(host string) (string, error) {
-	parsedHost, err := url.Parse(host)
-	if err != nil {
-		return "", err
-	}
-	// If the host is empty, assume the scheme wasn't included.
-	if parsedHost.Host == "" {
-		return "https://" + host, nil
-	}
-	return "https://" + parsedHost.Host, nil
-}
-
-var ErrNoMatchingProfiles = errors.New("no matching profiles found")
-
-const shellQuotedSpecialChars = " \t\n\r\"\\$`!#&|;(){}[]<>?*~'"
-
-func resolveSection(cfg *config.Config, iniFile *config.File) (*ini.Section, error) {
-	var candidates []*ini.Section
-	configuredHost, err := canonicalHost(cfg.Host)
-	if err != nil {
-		return nil, err
-	}
-	for _, section := range iniFile.Sections() {
-		hash := section.KeysHash()
-		host, ok := hash["host"]
-		if !ok {
-			// if host is not set
-			continue
-		}
-		canonical, err := canonicalHost(host)
-		if err != nil {
-			// we're fine with other corrupt profiles
-			continue
-		}
-		if canonical != configuredHost {
-			continue
-		}
-		candidates = append(candidates, section)
-	}
-	if len(candidates) == 0 {
-		return nil, ErrNoMatchingProfiles
-	}
-	// in the real situations, we don't expect this to happen often
-	// (if not at all), hence we don't trim the list
-	if len(candidates) > 1 {
-		var profiles []string
-		for _, v := range candidates {
-			profiles = append(profiles, v.Name())
-		}
-		return nil, fmt.Errorf("%s match %s in %s",
-			strings.Join(profiles, " and "), cfg.Host, cfg.ConfigFile)
-	}
-	return candidates[0], nil
-}
-
-func loadFromDatabricksCfg(ctx context.Context, cfg *config.Config) error {
-	iniFile, err := profile.DefaultProfiler.Get(ctx)
-	if errors.Is(err, fs.ErrNotExist) {
-		// it's fine not to have ~/.databrickscfg
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	profile, err := resolveSection(cfg, iniFile)
-	if err == ErrNoMatchingProfiles {
-		// it's also fine for Azure CLI or Databricks CLI, which
-		// are resolved by unified auth handling in the Go SDK.
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	cfg.Profile = profile.Name()
-	return nil
-}
-
 func newEnvCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "env",
-		Short: "Get env",
+		Short: "Get authentication environment variables for the current CLI context",
+		Long: `Output the environment variables needed to authenticate as the same identity
+the CLI is currently authenticated as. This is useful for configuring downstream
+tools that accept Databricks authentication via environment variables.`,
 	}
 
-	var host string
-	var profile string
-	cmd.Flags().StringVar(&host, "host", host, "Hostname to get auth env for")
-	cmd.Flags().StringVar(&profile, "profile", profile, "Profile to get auth env for")
-
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
-		cfg := &config.Config{
-			Host:    host,
-			Profile: profile,
-		}
-		if profile != "" {
-			cfg.Profile = profile
-		} else if cfg.Host == "" {
-			cfg.Profile = "DEFAULT"
-		} else if err := loadFromDatabricksCfg(cmd.Context(), cfg); err != nil {
-			return err
-		}
-		// Go SDK is lazy loaded because of Terraform semantics,
-		// so we're creating a dummy HTTP request as a placeholder
-		// for headers.
-		r := &http.Request{Header: http.Header{}}
-		err := cfg.Authenticate(r.WithContext(cmd.Context()))
+		_, err := root.MustAnyClient(cmd, args)
 		if err != nil {
 			return err
 		}
+
+		cfg := cmdctx.ConfigUsed(cmd.Context())
+		envVars := auth.Env(cfg)
+
 		// Output KEY=VALUE lines when the user explicitly passes --output text.
 		if cmd.Flag("output").Changed && root.OutputType(cmd) == flags.OutputText {
 			w := cmd.OutOrStdout()
-			for _, a := range config.ConfigAttributes {
-				if a.IsZero(cfg) {
-					continue
-				}
-				v := a.GetString(cfg)
-				for _, envName := range a.EnvVars {
-					fmt.Fprintf(w, "%s=%s\n", envName, quoteEnvValue(v))
-				}
+			keys := slices.Sorted(maps.Keys(envVars))
+			for _, k := range keys {
+				fmt.Fprintf(w, "%s=%s\n", k, quoteEnvValue(envVars[k]))
 			}
 			return nil
 		}
 
-		vars := collectEnvVars(cfg)
-		raw, err := json.MarshalIndent(map[string]any{
-			"env": vars,
-		}, "", "  ")
+		raw, err := json.MarshalIndent(envVars, "", "  ")
 		if err != nil {
 			return err
 		}
@@ -155,25 +53,11 @@ func newEnvCommand() *cobra.Command {
 	return cmd
 }
 
-// collectEnvVars returns the environment variables for the given config
-// as a map from env var name to value.
-func collectEnvVars(cfg *config.Config) map[string]string {
-	vars := map[string]string{}
-	for _, a := range config.ConfigAttributes {
-		if a.IsZero(cfg) {
-			continue
-		}
-		v := a.GetString(cfg)
-		for _, envName := range a.EnvVars {
-			vars[envName] = v
-		}
-	}
-	return vars
-}
+const shellQuotedSpecialChars = " \t\n\r\"\\$`!#&|;(){}[]<>?*~'"
 
 // quoteEnvValue quotes a value for KEY=VALUE output if it contains spaces or
 // shell-special characters. Single quotes prevent shell expansion, and
-// embedded single quotes use the POSIX-compatible '\” sequence.
+// embedded single quotes use the POSIX-compatible '\" sequence.
 func quoteEnvValue(v string) string {
 	if v == "" {
 		return `''`

cmd/auth/env_test.go

@@ -47,35 +47,39 @@ func TestEnvCommand_TextOutput(t *testing.T) {
 	}{
 		{
 			name:     "default output is JSON",
-			args:     []string{"--host", "https://test.cloud.databricks.com"},
+			args:     nil,
 			wantJSON: true,
 		},
 		{
 			name:     "explicit --output text produces KEY=VALUE lines",
-			args:     []string{"--host", "https://test.cloud.databricks.com", "--output", "text"},
+			args:     []string{"--output", "text"},
 			wantJSON: false,
 		},
 		{
 			name:     "explicit --output json produces JSON",
-			args:     []string{"--host", "https://test.cloud.databricks.com", "--output", "json"},
+			args:     []string{"--output", "json"},
 			wantJSON: true,
 		},
 	}
 
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
+			// Isolate from real config/token cache on the machine.
+			t.Setenv("DATABRICKS_CONFIG_FILE", t.TempDir()+"/.databrickscfg")
+			t.Setenv("HOME", t.TempDir())
+			// Set env vars so MustAnyClient resolves auth via PAT.
+			t.Setenv("DATABRICKS_HOST", "https://test.cloud.databricks.com")
+			t.Setenv("DATABRICKS_TOKEN", "test-token-value")
+
 			parent := &cobra.Command{Use: "databricks"}
 			outputFlag := flags.OutputText
 			parent.PersistentFlags().VarP(&outputFlag, "output", "o", "output type: text or json")
+			parent.PersistentFlags().StringP("profile", "p", "", "~/.databrickscfg profile")
 
 			envCmd := newEnvCommand()
 			parent.AddCommand(envCmd)
 			parent.SetContext(cmdio.MockDiscard(t.Context()))
 
-			// Set DATABRICKS_TOKEN so the SDK's config.Authenticate succeeds
-			// without hitting a real endpoint.
-			t.Setenv("DATABRICKS_TOKEN", "test-token-value")
-
 			var buf bytes.Buffer
 			parent.SetOut(&buf)
 			parent.SetArgs(append([]string{"env"}, c.args...))
@@ -91,7 +95,6 @@ func TestEnvCommand_TextOutput(t *testing.T) {
 				assert.NotContains(t, output, "{")
 				assert.Contains(t, output, "DATABRICKS_HOST=")
 				assert.Contains(t, output, "=")
-				// Verify KEY=VALUE format (no JSON structure)
 				assert.NotContains(t, output, `"env"`)
 			}
 		})