From 799d2ccbb743d9f59b683618195e18d35703afe4 Mon Sep 17 00:00:00 2001
From: simon <simon.faltum@databricks.com>
Date: Thu, 7 May 2026 18:52:38 +0200
Subject: [PATCH 1/2] auth describe: show U2M token storage location and source

Adds a "Token storage:" line to `databricks auth describe` output for
profiles authenticated with `auth_type = databricks-cli` (U2M). Shows
which backend the CLI uses for the token cache (plaintext file vs OS
keyring) and where that choice came from (override flag, env var,
config setting, or built-in default).

Modeled on `gh auth status`, which surfaces "(keyring)" or the YAML
hosts file path so users can tell at a glance where their tokens live.

Mirrors the existing config-attribute "(from <source>)" annotation
style. Other auth types (PAT, M2M, OIDC, etc.) do not use the U2M cache
and the line is omitted for them.

Resolver: `ResolveStorageModeWithSource` now returns a typed
`StorageSource` instead of an opaque bool, so callers can render the
source directly without duplicating the precedence-to-label mapping.

Co-authored-by: Isaac
---
 NEXT_CHANGELOG.md                             |   2 +
 .../u2m-plaintext-default/out.test.toml       |   3 +
 .../describe/u2m-plaintext-default/output.txt |  12 ++
 .../describe/u2m-plaintext-default/script     |  14 +++
 .../describe/u2m-plaintext-default/test.toml  |   3 +
 .../describe/u2m-plaintext-env/out.test.toml  |   3 +
 .../describe/u2m-plaintext-env/output.txt     |  12 ++
 .../auth/describe/u2m-plaintext-env/script    |  15 +++
 .../auth/describe/u2m-plaintext-env/test.toml |   3 +
 cmd/auth/describe.go                          | 105 ++++++++++++----
 cmd/auth/describe_test.go                     | 114 ++++++++++++++++++
 libs/auth/storage/cache.go                    |   4 +-
 libs/auth/storage/mode.go                     |  58 +++++++--
 libs/auth/storage/mode_test.go                |  62 ++++++----
 14 files changed, 352 insertions(+), 58 deletions(-)
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-default/out.test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-default/output.txt
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-default/script
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-default/test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-env/out.test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-env/output.txt
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-env/script
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-env/test.toml

diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index 409a875ad12..2e0b512efee 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### CLI
 
+* `databricks auth describe` now reports where U2M (`databricks-cli`) tokens are stored: `plaintext` (`~/.databricks/token-cache.json`) or `secure` (OS keyring), and the source of the choice (env var, config setting, or default).
+
 ### Bundles
 
 * Fixed `--force-pull` on `bundle summary` and `bundle open` so the flag bypasses the local state cache and reads state from the workspace.
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-default/out.test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-default/out.test.toml
new file mode 100644
index 00000000000..f784a183258
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-default/out.test.toml
@@ -0,0 +1,3 @@
+Local = true
+Cloud = false
+EnvMatrix.DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-default/output.txt b/acceptance/cmd/auth/describe/u2m-plaintext-default/output.txt
new file mode 100644
index 00000000000..981244ff8d9
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-default/output.txt
@@ -0,0 +1,12 @@
+
+>>> [CLI] auth describe --profile u2m-profile
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+Unable to authenticate: error getting token: cache: token not found
+Token storage: plaintext, ~/.databricks/token-cache.json (from default)
+-----
+Current configuration:
+  ✓ host: https://u2m-profile.databricks.test (from ./home/.databrickscfg config file)
+  ✓ profile: u2m-profile (from --profile flag)
+  ✓ databricks_cli_path: [CLI]
+  ✓ auth_type: databricks-cli (from ./home/.databrickscfg config file)
+  ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable)
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-default/script b/acceptance/cmd/auth/describe/u2m-plaintext-default/script
new file mode 100644
index 00000000000..d0b1ce40020
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-default/script
@@ -0,0 +1,14 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+unset DATABRICKS_AUTH_STORAGE
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+trace $CLI auth describe --profile u2m-profile
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-default/test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-default/test.toml
new file mode 100644
index 00000000000..36c0e7e237b
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-default/test.toml
@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-env/out.test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-env/out.test.toml
new file mode 100644
index 00000000000..f784a183258
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-env/out.test.toml
@@ -0,0 +1,3 @@
+Local = true
+Cloud = false
+EnvMatrix.DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-env/output.txt b/acceptance/cmd/auth/describe/u2m-plaintext-env/output.txt
new file mode 100644
index 00000000000..ff36f25245d
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-env/output.txt
@@ -0,0 +1,12 @@
+
+>>> [CLI] auth describe --profile u2m-profile
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+Unable to authenticate: error getting token: cache: token not found
+Token storage: plaintext, ~/.databricks/token-cache.json (from DATABRICKS_AUTH_STORAGE environment variable)
+-----
+Current configuration:
+  ✓ host: https://u2m-profile.databricks.test (from ./home/.databrickscfg config file)
+  ✓ profile: u2m-profile (from --profile flag)
+  ✓ databricks_cli_path: [CLI]
+  ✓ auth_type: databricks-cli (from ./home/.databrickscfg config file)
+  ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable)
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-env/script b/acceptance/cmd/auth/describe/u2m-plaintext-env/script
new file mode 100644
index 00000000000..21bfdf231f1
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-env/script
@@ -0,0 +1,15 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+
+export DATABRICKS_AUTH_STORAGE=plaintext
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+trace $CLI auth describe --profile u2m-profile
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-env/test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-env/test.toml
new file mode 100644
index 00000000000..36c0e7e237b
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-env/test.toml
@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]
diff --git a/cmd/auth/describe.go b/cmd/auth/describe.go
index 9199aac9e6e..88b6fd3c41b 100644
--- a/cmd/auth/describe.go
+++ b/cmd/auth/describe.go
@@ -6,9 +6,11 @@ import (
 	"fmt"
 
 	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/auth/storage"
 	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/flags"
+	"github.com/databricks/cli/libs/log"
 	"github.com/databricks/databricks-sdk-go/config"
 	"github.com/spf13/cobra"
 )
@@ -21,10 +23,16 @@ var authTemplate = `{{"Host:" | bold}} {{.Status.Details.Host}}
 {{"User:" | bold}} {{.Status.Username}}
 {{- end}}
 {{"Authenticated with:" | bold}} {{.Status.Details.AuthType}}
+{{- if .Status.TokenStorage}}
+{{"Token storage:" | bold}} {{.Status.TokenStorage.Mode}}, {{.Status.TokenStorage.Location}} {{ printf "(from %s)" .Status.TokenStorage.Source | italic}}
+{{- end}}
 -----
 ` + configurationTemplate
 
 var errorTemplate = `Unable to authenticate: {{.Status.Error}}
+{{- if .Status.TokenStorage}}
+{{"Token storage:" | bold}} {{.Status.TokenStorage.Mode}}, {{.Status.TokenStorage.Location}} {{ printf "(from %s)" .Status.TokenStorage.Source | italic}}
+{{- end}}
 -----
 ` + configurationTemplate
 
@@ -80,10 +88,12 @@ func getAuthStatus(cmd *cobra.Command, args []string, showSensitive bool, fn try
 	cfg, isAccount, err := fn(cmd, args)
 	ctx := cmd.Context()
 	if err != nil {
+		details := getAuthDetails(cmd, cfg, showSensitive)
 		return &authStatus{ //nolint:nilerr // error is returned in the authStatus struct
-			Status:  "error",
-			Error:   err,
-			Details: getAuthDetails(cmd, cfg, showSensitive),
+			Status:       "error",
+			Error:        err,
+			Details:      details,
+			TokenStorage: resolveTokenStorageInfo(ctx, details.AuthType),
 		}, nil
 	}
 
@@ -93,18 +103,22 @@ func getAuthStatus(cmd *cobra.Command, args []string, showSensitive bool, fn try
 		// Doing a simple API call to check if the auth is valid
 		_, err := a.Workspaces.List(ctx)
 		if err != nil {
+			details := getAuthDetails(cmd, cfg, showSensitive)
 			return &authStatus{ //nolint:nilerr // error is returned in the authStatus struct
-				Status:  "error",
-				Error:   err,
-				Details: getAuthDetails(cmd, cfg, showSensitive),
+				Status:       "error",
+				Error:        err,
+				Details:      details,
+				TokenStorage: resolveTokenStorageInfo(ctx, details.AuthType),
 			}, nil
 		}
 
+		details := getAuthDetails(cmd, a.Config, showSensitive)
 		status := authStatus{
-			Status:    "success",
-			Details:   getAuthDetails(cmd, a.Config, showSensitive),
-			AccountID: a.Config.AccountID,
-			Username:  a.Config.Username,
+			Status:       "success",
+			Details:      details,
+			AccountID:    a.Config.AccountID,
+			Username:     a.Config.Username,
+			TokenStorage: resolveTokenStorageInfo(ctx, details.AuthType),
 		}
 
 		return &status, nil
@@ -113,17 +127,21 @@ func getAuthStatus(cmd *cobra.Command, args []string, showSensitive bool, fn try
 	w := cmdctx.WorkspaceClient(ctx)
 	me, err := w.CurrentUser.Me(ctx)
 	if err != nil {
+		details := getAuthDetails(cmd, cfg, showSensitive)
 		return &authStatus{ //nolint:nilerr // error is returned in the authStatus struct
-			Status:  "error",
-			Error:   err,
-			Details: getAuthDetails(cmd, cfg, showSensitive),
+			Status:       "error",
+			Error:        err,
+			Details:      details,
+			TokenStorage: resolveTokenStorageInfo(ctx, details.AuthType),
 		}, nil
 	}
 
+	details := getAuthDetails(cmd, w.Config, showSensitive)
 	status := authStatus{
-		Status:   "success",
-		Details:  getAuthDetails(cmd, w.Config, showSensitive),
-		Username: me.UserName,
+		Status:       "success",
+		Details:      details,
+		Username:     me.UserName,
+		TokenStorage: resolveTokenStorageInfo(ctx, details.AuthType),
 	}
 
 	return &status, nil
@@ -153,11 +171,56 @@ func render(ctx context.Context, cmd *cobra.Command, status *authStatus, templat
 }
 
 type authStatus struct {
-	Status    string             `json:"status"`
-	Error     error              `json:"error,omitempty"`
-	Username  string             `json:"username,omitempty"`
-	AccountID string             `json:"account_id,omitempty"`
-	Details   config.AuthDetails `json:"details"`
+	Status       string             `json:"status"`
+	Error        error              `json:"error,omitempty"`
+	Username     string             `json:"username,omitempty"`
+	AccountID    string             `json:"account_id,omitempty"`
+	Details      config.AuthDetails `json:"details"`
+	TokenStorage *tokenStorageInfo  `json:"token_storage,omitempty"`
+}
+
+// tokenStorageInfo describes where the U2M (databricks-cli) token cache lives
+// and which precedence level produced that choice. Populated only when the
+// active auth type is "databricks-cli"; other auth types do not use the
+// CLI's U2M token cache and the field is omitted.
+type tokenStorageInfo struct {
+	Mode     string `json:"mode"`
+	Location string `json:"location"`
+	Source   string `json:"source"`
+}
+
+const (
+	plaintextLocation = "~/.databricks/token-cache.json"
+	secureLocation    = "OS keyring (service: databricks-cli)"
+)
+
+// resolveTokenStorageInfo returns storage info for the U2M token cache, or
+// nil if the active auth type does not use the cache. Resolver errors are
+// logged at debug level and treated as "no info available" rather than
+// failing describe; the user-visible auth status is more important than
+// secondary metadata about where a token would have been stored.
+func resolveTokenStorageInfo(ctx context.Context, authType string) *tokenStorageInfo {
+	if authType != authTypeDatabricksCLI {
+		return nil
+	}
+	mode, source, err := storage.ResolveStorageModeWithSource(ctx, "")
+	if err != nil {
+		log.Debugf(ctx, "auth describe: resolve storage mode: %v", err)
+		return nil
+	}
+	info := &tokenStorageInfo{
+		Mode:   string(mode),
+		Source: source.String(),
+	}
+	switch mode {
+	case storage.StorageModePlaintext:
+		info.Location = plaintextLocation
+	case storage.StorageModeSecure:
+		info.Location = secureLocation
+	default:
+		return nil
+	}
+	return info
 }
 
 func getAuthDetails(cmd *cobra.Command, cfg *config.Config, showSensitive bool) config.AuthDetails {
diff --git a/cmd/auth/describe_test.go b/cmd/auth/describe_test.go
index ef654aae3d2..e202404b212 100644
--- a/cmd/auth/describe_test.go
+++ b/cmd/auth/describe_test.go
@@ -4,11 +4,13 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/databricks/cli/libs/auth/storage"
 	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/databricks-sdk-go/config"
 	"github.com/databricks/databricks-sdk-go/experimental/mocks"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 )
@@ -223,3 +225,115 @@ func TestGetAccountAuthStatus(t *testing.T) {
 	require.Equal(t, "--profile flag", status.Details.Configuration["profile"].Source.String())
 	require.False(t, status.Details.Configuration["profile"].AuthTypeMismatch)
 }
+
+func TestResolveTokenStorageInfo(t *testing.T) {
+	cases := []struct {
+		name     string
+		authType string
+		envValue string
+		want     *tokenStorageInfo
+	}{
+		{
+			name:     "non-databricks-cli auth has no token storage",
+			authType: "pat",
+			want:     nil,
+		},
+		{
+			name:     "databricks-cli with default plaintext",
+			authType: authTypeDatabricksCLI,
+			want: &tokenStorageInfo{
+				Mode:     "plaintext",
+				Location: plaintextLocation,
+				Source:   "default",
+			},
+		},
+		{
+			name:     "databricks-cli with secure from env",
+			authType: authTypeDatabricksCLI,
+			envValue: "secure",
+			want: &tokenStorageInfo{
+				Mode:     "secure",
+				Location: secureLocation,
+				Source:   "DATABRICKS_AUTH_STORAGE environment variable",
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(storage.EnvVar, tc.envValue)
+			t.Setenv("DATABRICKS_CONFIG_FILE", t.TempDir()+"/.databrickscfg")
+
+			got := resolveTokenStorageInfo(t.Context(), tc.authType)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+func TestGetWorkspaceAuthStatus_U2M_PopulatesTokenStorage(t *testing.T) {
+	ctx := t.Context()
+	m := mocks.NewMockWorkspaceClient(t)
+	ctx = cmdctx.SetWorkspaceClient(ctx, m.WorkspaceClient)
+
+	cmd := &cobra.Command{}
+	cmd.SetContext(ctx)
+
+	currentUserApi := m.GetMockCurrentUserAPI()
+	currentUserApi.EXPECT().Me(mock.Anything).Return(&iam.User{UserName: "u2m-user"}, nil)
+
+	cmd.Flags().String("host", "", "")
+	cmd.Flags().String("profile", "", "")
+	require.NoError(t, cmd.Flag("profile").Value.Set("u2m-profile"))
+	cmd.Flag("profile").Changed = true
+
+	cfg := &config.Config{Profile: "u2m-profile"}
+	m.WorkspaceClient.Config = cfg
+	t.Setenv(storage.EnvVar, "secure")
+	t.Setenv("DATABRICKS_CONFIG_FILE", t.TempDir()+"/.databrickscfg")
+	require.NoError(t, config.ConfigAttributes.Configure(cfg))
+
+	status, err := getAuthStatus(cmd, []string{}, false, func(cmd *cobra.Command, args []string) (*config.Config, bool, error) {
+		require.NoError(t, config.ConfigAttributes.ResolveFromStringMap(cfg, map[string]string{
+			"host":      "https://test.test",
+			"auth_type": authTypeDatabricksCLI,
+		}))
+		return cfg, false, nil
+	})
+	require.NoError(t, err)
+	require.NotNil(t, status)
+	require.NotNil(t, status.TokenStorage)
+	assert.Equal(t, "secure", status.TokenStorage.Mode)
+	assert.Equal(t, secureLocation, status.TokenStorage.Location)
+	assert.Equal(t, "DATABRICKS_AUTH_STORAGE environment variable", status.TokenStorage.Source)
+}
+
+func TestGetWorkspaceAuthStatus_NonU2M_OmitsTokenStorage(t *testing.T) {
+	ctx := t.Context()
+	m := mocks.NewMockWorkspaceClient(t)
+	ctx = cmdctx.SetWorkspaceClient(ctx, m.WorkspaceClient)
+
+	cmd := &cobra.Command{}
+	cmd.SetContext(ctx)
+
+	currentUserApi := m.GetMockCurrentUserAPI()
+	currentUserApi.EXPECT().Me(mock.Anything).Return(&iam.User{UserName: "pat-user"}, nil)
+
+	cmd.Flags().String("host", "", "")
+	cmd.Flags().String("profile", "", "")
+
+	cfg := &config.Config{}
+	m.WorkspaceClient.Config = cfg
+	require.NoError(t, config.ConfigAttributes.Configure(cfg))
+
+	status, err := getAuthStatus(cmd, []string{}, false, func(cmd *cobra.Command, args []string) (*config.Config, bool, error) {
+		require.NoError(t, config.ConfigAttributes.ResolveFromStringMap(cfg, map[string]string{
+			"host":      "https://test.test",
+			"token":     "pat-token",
+			"auth_type": "pat",
+		}))
+		return cfg, false, nil
+	})
+	require.NoError(t, err)
+	require.NotNil(t, status)
+	assert.Nil(t, status.TokenStorage)
+}
diff --git a/libs/auth/storage/cache.go b/libs/auth/storage/cache.go
index 8e8b779afe9..cfd204fa324 100644
--- a/libs/auth/storage/cache.go
+++ b/libs/auth/storage/cache.go
@@ -106,11 +106,11 @@ func resolveCacheWith(ctx context.Context, override StorageMode, f cacheFactorie
 // resolveCacheForLoginWith is the pure form of ResolveCacheForLogin. It takes
 // the factory set as a parameter so tests can inject stubs.
 func resolveCacheForLoginWith(ctx context.Context, override StorageMode, f cacheFactories) (cache.TokenCache, StorageMode, error) {
-	mode, explicit, err := ResolveStorageModeWithSource(ctx, override)
+	mode, source, err := ResolveStorageModeWithSource(ctx, override)
 	if err != nil {
 		return nil, "", err
 	}
-	return applyLoginFallback(ctx, mode, explicit, f)
+	return applyLoginFallback(ctx, mode, source.Explicit(), f)
 }
 
 // applyLoginFallback realizes the login-time fallback rules given an already-
diff --git a/libs/auth/storage/mode.go b/libs/auth/storage/mode.go
index 2caace171f3..5c1acca9604 100644
--- a/libs/auth/storage/mode.go
+++ b/libs/auth/storage/mode.go
@@ -38,6 +38,43 @@ const (
 // EnvVar is the environment variable that selects the storage mode.
 const EnvVar = "DATABRICKS_AUTH_STORAGE"
 
+// StorageSource identifies which precedence level produced the resolved
+// storage mode. Callers use it both to decide whether the user explicitly
+// asked for a mode (everything except StorageSourceDefault) and to surface
+// where the choice came from in user-facing output.
+type StorageSource int
+
+const (
+	// StorageSourceDefault is the zero value: no override, env, or config
+	// was set, so the resolver fell through to the built-in default.
+	StorageSourceDefault StorageSource = iota
+	StorageSourceOverride
+	StorageSourceEnvVar
+	StorageSourceConfig
+)
+
+// Explicit reports whether the source came from a user-supplied input
+// (override flag, env var, or config) rather than the built-in default.
+func (s StorageSource) Explicit() bool {
+	return s != StorageSourceDefault
+}
+
+// String returns a human-readable label for the source, matching the style
+// used by the SDK's config.Source.String() (e.g. "DATABRICKS_HOST environment
+// variable", "--profile flag").
+func (s StorageSource) String() string {
+	switch s {
+	case StorageSourceOverride:
+		return "--auth-storage flag"
+	case StorageSourceEnvVar:
+		return EnvVar + " environment variable"
+	case StorageSourceConfig:
+		return "auth_storage in [__settings__] section of .databrickscfg"
+	default:
+		return "default"
+	}
+}
+
 // ParseMode parses raw as a StorageMode. Whitespace is trimmed and matching
 // is case-insensitive. Empty or unrecognized input returns StorageModeUnknown;
 // callers decide whether that is an error (user-supplied value) or a
@@ -70,32 +107,31 @@ func ResolveStorageMode(ctx context.Context, override StorageMode) (StorageMode,
 }
 
 // ResolveStorageModeWithSource is like ResolveStorageMode but also reports
-// whether the resolved mode came from an explicit user choice (override flag,
-// env var, or config) versus the built-in default. Callers use this to honor
-// "I want secure" strictly: when the user explicitly asked for secure storage
-// but it cannot be provided, the right move is to error out, not to silently
-// downgrade.
-func ResolveStorageModeWithSource(ctx context.Context, override StorageMode) (StorageMode, bool, error) {
+// which precedence level produced the resolved mode. Callers use the source
+// both to honor "I want secure" strictly (when source.Explicit() is true and
+// secure cannot be provided, error out instead of silently downgrading) and
+// to surface where the choice came from in user-facing output.
+func ResolveStorageModeWithSource(ctx context.Context, override StorageMode) (StorageMode, StorageSource, error) {
 	if override != StorageModeUnknown {
-		return override, true, nil
+		return override, StorageSourceOverride, nil
 	}
 
 	if raw := env.Get(ctx, EnvVar); raw != "" {
 		mode, err := parseFromSource(raw, EnvVar)
-		return mode, true, err
+		return mode, StorageSourceEnvVar, err
 	}
 
 	configPath := env.Get(ctx, "DATABRICKS_CONFIG_FILE")
 	raw, err := databrickscfg.GetConfiguredAuthStorage(ctx, configPath)
 	if err != nil {
-		return "", false, fmt.Errorf("read auth_storage setting: %w", err)
+		return "", StorageSourceDefault, fmt.Errorf("read auth_storage setting: %w", err)
 	}
 	if raw != "" {
 		mode, err := parseFromSource(raw, "auth_storage")
-		return mode, true, err
+		return mode, StorageSourceConfig, err
 	}
 
-	return StorageModePlaintext, false, nil
+	return StorageModePlaintext, StorageSourceDefault, nil
 }
 
 func parseFromSource(raw, source string) (StorageMode, error) {
diff --git a/libs/auth/storage/mode_test.go b/libs/auth/storage/mode_test.go
index bec3e571eb7..32ff190faf2 100644
--- a/libs/auth/storage/mode_test.go
+++ b/libs/auth/storage/mode_test.go
@@ -131,36 +131,36 @@ func TestResolveStorageMode_SkipsConfigReadWhenOverrideOrEnvSet(t *testing.T) {
 
 func TestResolveStorageModeWithSource(t *testing.T) {
 	cases := []struct {
-		name         string
-		override     StorageMode
-		envValue     string
-		configBody   string
-		wantMode     StorageMode
-		wantExplicit bool
-		wantErrSub   string
+		name       string
+		override   StorageMode
+		envValue   string
+		configBody string
+		wantMode   StorageMode
+		wantSource StorageSource
+		wantErrSub string
 	}{
 		{
-			name:         "default is not explicit",
-			wantMode:     StorageModePlaintext,
-			wantExplicit: false,
+			name:       "default",
+			wantMode:   StorageModePlaintext,
+			wantSource: StorageSourceDefault,
 		},
 		{
-			name:         "override is explicit",
-			override:     StorageModeSecure,
-			wantMode:     StorageModeSecure,
-			wantExplicit: true,
+			name:       "override",
+			override:   StorageModeSecure,
+			wantMode:   StorageModeSecure,
+			wantSource: StorageSourceOverride,
 		},
 		{
-			name:         "env is explicit",
-			envValue:     "secure",
-			wantMode:     StorageModeSecure,
-			wantExplicit: true,
+			name:       "env",
+			envValue:   "secure",
+			wantMode:   StorageModeSecure,
+			wantSource: StorageSourceEnvVar,
 		},
 		{
-			name:         "config is explicit",
-			configBody:   "[__settings__]\nauth_storage = secure\n",
-			wantMode:     StorageModeSecure,
-			wantExplicit: true,
+			name:       "config",
+			configBody: "[__settings__]\nauth_storage = secure\n",
+			wantMode:   StorageModeSecure,
+			wantSource: StorageSourceConfig,
 		},
 		{
 			name:       "invalid env is rejected",
@@ -183,7 +183,7 @@ func TestResolveStorageModeWithSource(t *testing.T) {
 			t.Setenv("DATABRICKS_CONFIG_FILE", cfgPath)
 			t.Setenv(EnvVar, tc.envValue)
 
-			mode, explicit, err := ResolveStorageModeWithSource(t.Context(), tc.override)
+			mode, source, err := ResolveStorageModeWithSource(t.Context(), tc.override)
 			if tc.wantErrSub != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tc.wantErrSub)
@@ -191,7 +191,21 @@ func TestResolveStorageModeWithSource(t *testing.T) {
 			}
 			require.NoError(t, err)
 			assert.Equal(t, tc.wantMode, mode)
-			assert.Equal(t, tc.wantExplicit, explicit)
+			assert.Equal(t, tc.wantSource, source)
 		})
 	}
 }
+
+func TestStorageSource_Explicit(t *testing.T) {
+	assert.False(t, StorageSourceDefault.Explicit())
+	assert.True(t, StorageSourceOverride.Explicit())
+	assert.True(t, StorageSourceEnvVar.Explicit())
+	assert.True(t, StorageSourceConfig.Explicit())
+}
+
+func TestStorageSource_String(t *testing.T) {
+	assert.Equal(t, "default", StorageSourceDefault.String())
+	assert.Equal(t, "--auth-storage flag", StorageSourceOverride.String())
+	assert.Equal(t, "DATABRICKS_AUTH_STORAGE environment variable", StorageSourceEnvVar.String())
+	assert.Equal(t, "auth_storage in [__settings__] section of .databrickscfg", StorageSourceConfig.String())
+}

From 1e2eb0d6ee9335932d2a32b04f890ae2b923228a Mon Sep 17 00:00:00 2001
From: simon <simon.faltum@databricks.com>
Date: Thu, 7 May 2026 19:08:34 +0200
Subject: [PATCH 2/2] auth describe: address review feedback on storage source
 labels

- Drop the "--auth-storage flag" wording from StorageSourceOverride.String():
  no CLI command currently exposes a storage-mode flag, so promising one
  in the label was misleading. Switch to a generic "command-line override".
  When a flag is added later, that PR can replace the label at the call
  site.

- For StorageSourceConfig, surface the resolved config file path
  (DATABRICKS_CONFIG_FILE or <home>/.databrickscfg) instead of hardcoding
  ".databrickscfg". Matches the SDK's existing config.Source style and
  no longer claims the wrong file when DATABRICKS_CONFIG_FILE is in use.
  Resolution stays in the describe command since that's the only caller
  that needs the user-facing path; the storage package keeps its
  resolver focused.

- New acceptance tests cover the config-source path
  (u2m-plaintext-config) and the JSON output shape (u2m-json-output).

Co-authored-by: Isaac
---
 .../describe/u2m-json-output/out.test.toml    |  3 ++
 .../auth/describe/u2m-json-output/output.txt  |  8 +++++
 .../cmd/auth/describe/u2m-json-output/script  | 16 +++++++++
 .../auth/describe/u2m-json-output/test.toml   |  3 ++
 .../u2m-plaintext-config/out.test.toml        |  3 ++
 .../describe/u2m-plaintext-config/output.txt  | 12 +++++++
 .../auth/describe/u2m-plaintext-config/script | 17 ++++++++++
 .../describe/u2m-plaintext-config/test.toml   |  3 ++
 cmd/auth/describe.go                          | 33 ++++++++++++++++++-
 cmd/auth/describe_test.go                     | 27 +++++++++++++++
 libs/auth/storage/mode.go                     | 13 ++++++--
 libs/auth/storage/mode_test.go                |  4 +--
 12 files changed, 136 insertions(+), 6 deletions(-)
 create mode 100644 acceptance/cmd/auth/describe/u2m-json-output/out.test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-json-output/output.txt
 create mode 100644 acceptance/cmd/auth/describe/u2m-json-output/script
 create mode 100644 acceptance/cmd/auth/describe/u2m-json-output/test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-config/out.test.toml
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-config/output.txt
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-config/script
 create mode 100644 acceptance/cmd/auth/describe/u2m-plaintext-config/test.toml

diff --git a/acceptance/cmd/auth/describe/u2m-json-output/out.test.toml b/acceptance/cmd/auth/describe/u2m-json-output/out.test.toml
new file mode 100644
index 00000000000..f784a183258
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-json-output/out.test.toml
@@ -0,0 +1,3 @@
+Local = true
+Cloud = false
+EnvMatrix.DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/auth/describe/u2m-json-output/output.txt b/acceptance/cmd/auth/describe/u2m-json-output/output.txt
new file mode 100644
index 00000000000..7e2ac070cbc
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-json-output/output.txt
@@ -0,0 +1,8 @@
+
+>>> [CLI] auth describe --profile u2m-profile --output json
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+{
+  "mode": "plaintext",
+  "location": "~/.databricks/token-cache.json",
+  "source": "default"
+}
diff --git a/acceptance/cmd/auth/describe/u2m-json-output/script b/acceptance/cmd/auth/describe/u2m-json-output/script
new file mode 100644
index 00000000000..668d2374496
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-json-output/script
@@ -0,0 +1,16 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+unset DATABRICKS_AUTH_STORAGE
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+# Filter to just the new token_storage object so the assertion is focused
+# and doesn't churn when other fields evolve.
+trace $CLI auth describe --profile u2m-profile --output json | jq '.token_storage'
diff --git a/acceptance/cmd/auth/describe/u2m-json-output/test.toml b/acceptance/cmd/auth/describe/u2m-json-output/test.toml
new file mode 100644
index 00000000000..36c0e7e237b
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-json-output/test.toml
@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-config/out.test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-config/out.test.toml
new file mode 100644
index 00000000000..f784a183258
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-config/out.test.toml
@@ -0,0 +1,3 @@
+Local = true
+Cloud = false
+EnvMatrix.DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-config/output.txt b/acceptance/cmd/auth/describe/u2m-plaintext-config/output.txt
new file mode 100644
index 00000000000..37a44d830f8
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-config/output.txt
@@ -0,0 +1,12 @@
+
+>>> [CLI] auth describe --profile u2m-profile
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+Unable to authenticate: error getting token: cache: token not found
+Token storage: plaintext, ~/.databricks/token-cache.json (from auth_storage in [__settings__] section of home/.databrickscfg)
+-----
+Current configuration:
+  ✓ host: https://u2m-profile.databricks.test (from ./home/.databrickscfg config file)
+  ✓ profile: u2m-profile (from --profile flag)
+  ✓ databricks_cli_path: [CLI]
+  ✓ auth_type: databricks-cli (from ./home/.databrickscfg config file)
+  ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable)
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-config/script b/acceptance/cmd/auth/describe/u2m-plaintext-config/script
new file mode 100644
index 00000000000..1cf6d3267d5
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-config/script
@@ -0,0 +1,17 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+unset DATABRICKS_AUTH_STORAGE
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[__settings__]
+auth_storage = plaintext
+
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+trace $CLI auth describe --profile u2m-profile
diff --git a/acceptance/cmd/auth/describe/u2m-plaintext-config/test.toml b/acceptance/cmd/auth/describe/u2m-plaintext-config/test.toml
new file mode 100644
index 00000000000..36c0e7e237b
--- /dev/null
+++ b/acceptance/cmd/auth/describe/u2m-plaintext-config/test.toml
@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]
diff --git a/cmd/auth/describe.go b/cmd/auth/describe.go
index 88b6fd3c41b..56f10630de1 100644
--- a/cmd/auth/describe.go
+++ b/cmd/auth/describe.go
@@ -4,11 +4,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"path/filepath"
 
 	"github.com/databricks/cli/cmd/root"
 	"github.com/databricks/cli/libs/auth/storage"
 	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/env"
 	"github.com/databricks/cli/libs/flags"
 	"github.com/databricks/cli/libs/log"
 	"github.com/databricks/databricks-sdk-go/config"
@@ -210,7 +212,7 @@ func resolveTokenStorageInfo(ctx context.Context, authType string) *tokenStorage
 	}
 	info := &tokenStorageInfo{
 		Mode:   string(mode),
-		Source: source.String(),
+		Source: storageSourceLabel(ctx, source),
 	}
 	switch mode {
 	case storage.StorageModePlaintext:
@@ -223,6 +225,35 @@ func resolveTokenStorageInfo(ctx context.Context, authType string) *tokenStorage
 	return info
 }
 
+// storageSourceLabel returns a user-facing label for source. For
+// StorageSourceConfig, it appends the resolved config file path
+// (DATABRICKS_CONFIG_FILE or <home>/.databrickscfg) so the output matches
+// the SDK's config.Source style ("from <path> config file") rather than
+// hardcoding ".databrickscfg" when a custom path is in use.
+func storageSourceLabel(ctx context.Context, source storage.StorageSource) string {
+	if source != storage.StorageSourceConfig {
+		return source.String()
+	}
+	return "auth_storage in [__settings__] section of " + resolvedConfigPath(ctx)
+}
+
+// resolvedConfigPath returns the path the storage-mode resolver loaded from
+// for [__settings__].auth_storage: DATABRICKS_CONFIG_FILE if set, otherwise
+// <home>/.databrickscfg. Falls back to "~/.databrickscfg" only when the home
+// directory cannot be determined (rare; describe should not crash on this
+// secondary metadata path).
+func resolvedConfigPath(ctx context.Context) string {
+	if path := env.Get(ctx, "DATABRICKS_CONFIG_FILE"); path != "" {
+		return path
+	}
+	home, err := env.UserHomeDir(ctx)
+	if err != nil {
+		log.Debugf(ctx, "auth describe: resolve home dir: %v", err)
+		return "~/.databrickscfg"
+	}
+	return filepath.ToSlash(filepath.Join(home, ".databrickscfg"))
+}
+
 func getAuthDetails(cmd *cobra.Command, cfg *config.Config, showSensitive bool) config.AuthDetails {
 	var opts []config.AuthDetailsOptions
 	if showSensitive {
diff --git a/cmd/auth/describe_test.go b/cmd/auth/describe_test.go
index e202404b212..528decf1022 100644
--- a/cmd/auth/describe_test.go
+++ b/cmd/auth/describe_test.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"errors"
+	"path/filepath"
 	"testing"
 
 	"github.com/databricks/cli/libs/auth/storage"
@@ -270,6 +271,32 @@ func TestResolveTokenStorageInfo(t *testing.T) {
 	}
 }
 
+func TestStorageSourceLabel_ConfigUsesResolvedPath(t *testing.T) {
+	ctx := t.Context()
+	t.Setenv("DATABRICKS_CONFIG_FILE", "/custom/path/.databrickscfg")
+	got := storageSourceLabel(ctx, storage.StorageSourceConfig)
+	assert.Equal(t, "auth_storage in [__settings__] section of /custom/path/.databrickscfg", got)
+}
+
+func TestStorageSourceLabel_ConfigDefaultsToHome(t *testing.T) {
+	ctx := t.Context()
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	t.Setenv("USERPROFILE", home)
+	t.Setenv("DATABRICKS_CONFIG_FILE", "")
+	got := storageSourceLabel(ctx, storage.StorageSourceConfig)
+	expected := "auth_storage in [__settings__] section of " + filepath.ToSlash(filepath.Join(home, ".databrickscfg"))
+	assert.Equal(t, expected, got)
+}
+
+func TestStorageSourceLabel_NonConfigDelegatesToSource(t *testing.T) {
+	ctx := t.Context()
+	t.Setenv("DATABRICKS_CONFIG_FILE", "/should/not/appear")
+	assert.Equal(t, "default", storageSourceLabel(ctx, storage.StorageSourceDefault))
+	assert.Equal(t, "DATABRICKS_AUTH_STORAGE environment variable", storageSourceLabel(ctx, storage.StorageSourceEnvVar))
+	assert.Equal(t, "command-line override", storageSourceLabel(ctx, storage.StorageSourceOverride))
+}
+
 func TestGetWorkspaceAuthStatus_U2M_PopulatesTokenStorage(t *testing.T) {
 	ctx := t.Context()
 	m := mocks.NewMockWorkspaceClient(t)
diff --git a/libs/auth/storage/mode.go b/libs/auth/storage/mode.go
index 5c1acca9604..6dd3c6e5dff 100644
--- a/libs/auth/storage/mode.go
+++ b/libs/auth/storage/mode.go
@@ -61,15 +61,22 @@ func (s StorageSource) Explicit() bool {
 
 // String returns a human-readable label for the source, matching the style
 // used by the SDK's config.Source.String() (e.g. "DATABRICKS_HOST environment
-// variable", "--profile flag").
+// variable").
+//
+// The label for StorageSourceConfig intentionally does not name a specific
+// config file: callers that know the resolved path (e.g. auth describe)
+// should append it themselves to match the SDK's "from <path> config file"
+// convention. The label for StorageSourceOverride is generic because no
+// CLI command currently exposes a storage-mode flag; if one is added in
+// the future, that command can replace the label at the call site.
 func (s StorageSource) String() string {
 	switch s {
 	case StorageSourceOverride:
-		return "--auth-storage flag"
+		return "command-line override"
 	case StorageSourceEnvVar:
 		return EnvVar + " environment variable"
 	case StorageSourceConfig:
-		return "auth_storage in [__settings__] section of .databrickscfg"
+		return "auth_storage in [__settings__] section of config file"
 	default:
 		return "default"
 	}
diff --git a/libs/auth/storage/mode_test.go b/libs/auth/storage/mode_test.go
index 32ff190faf2..4c6cf0e1614 100644
--- a/libs/auth/storage/mode_test.go
+++ b/libs/auth/storage/mode_test.go
@@ -205,7 +205,7 @@ func TestStorageSource_Explicit(t *testing.T) {
 
 func TestStorageSource_String(t *testing.T) {
 	assert.Equal(t, "default", StorageSourceDefault.String())
-	assert.Equal(t, "--auth-storage flag", StorageSourceOverride.String())
+	assert.Equal(t, "command-line override", StorageSourceOverride.String())
 	assert.Equal(t, "DATABRICKS_AUTH_STORAGE environment variable", StorageSourceEnvVar.String())
-	assert.Equal(t, "auth_storage in [__settings__] section of .databrickscfg", StorageSourceConfig.String())
+	assert.Equal(t, "auth_storage in [__settings__] section of config file", StorageSourceConfig.String())
 }