{"id":20697408,"url":"https://github.com/epomatti/az-appserv-sql-passwordless","last_synced_at":"2026-04-22T02:32:48.380Z","repository":{"id":198776987,"uuid":"621554749","full_name":"epomatti/az-appserv-sql-passwordless","owner":"epomatti","description":"App Service passwordless connectivity to Azure SQL Database using system-assigned managed identity.","archived":false,"fork":false,"pushed_at":"2024-07-10T18:19:08.000Z","size":67,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-25T13:45:49.592Z","etag":null,"topics":["aad","appservice","aspnetcore","azure","azure-ad","dotnet","dotnet-core","entra","passwordless","sqldatabase"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-30T22:45:28.000Z","updated_at":"2024-07-10T18:19:11.000Z","dependencies_parsed_at":"2024-07-10T21:24:25.993Z","dependency_job_id":"c7cf6117-175a-48e3-815c-c70053438855","html_url":"https://github.com/epomatti/az-appserv-sql-passwordless","commit_stats":null,"previous_names":["epomatti/az-appserv-sql-passwordless"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/az-appserv-sql-passwordless","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faz-appserv-sql-passwordless","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faz-appserv-sql-passwordless/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faz-appserv-sql-passwordless/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faz-appserv-sql-passwordless/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/az-appserv-sql-passwordless/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faz-appserv-sql-passwordless/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32118109,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T00:31:26.853Z","status":"online","status_checked_at":"2026-04-22T02:00:05.693Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aad","appservice","aspnetcore","azure","azure-ad","dotnet","dotnet-core","entra","passwordless","sqldatabase"],"created_at":"2024-11-17T00:17:54.170Z","updated_at":"2026-04-22T02:32:48.361Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# App Services passwordless SQL Database connection\n\nApp Service passwordless authentication to Azure SQL Database with Microsoft Entra authentication.\n\n## Infrastructure\n\nCopy the `.auto.tfvars` template file:\n\n```sh\ncp infra/config/template.tfvars infra/.auto.tfvars\n```\n\nCreate the VM SSH keys:\n\n```sh\nmkdir infra/keys\nssh-keygen -f infra/keys/temp_key\nchmod 600 infra/keys/temp_key\n```\n\nCreate the infrastructure:\n\n```sh\nterraform -chdir=\"infra\" init\nterraform -chdir=\"infra\" apply -auto-approve\n```\n\n\u003e [!NOTE]\n\u003e App Service health checks will show as unhealthy until the app is deployed, as the health check path is configured to be at `/healthz`.\n\n## Permissions: App Service\n\nWhe using **System-Assigned** managed identity, the configuration uses the App Service **name** as login.\n\n### SQL Server\n\nCreate the login from an external provider:\n\n```sql\nUSE master\nCREATE LOGIN [app-contoso-8hkgb] FROM EXTERNAL PROVIDER\nGO\n```\n\nCheck the server login:\n\n```sql\nSELECT name, type_desc, type, is_disabled \nFROM sys.server_principals\nWHERE type_desc like 'external%'  \n```\n\n### SQL Database\n\nCreate the database user associated with the external login:\n\n```sql\nCREATE USER [app-contoso-8hkgb] FROM LOGIN [app-contoso-8hkgb]\nGO\n```\n\nCheck the database user:\n\n```sql\nSELECT name, type_desc, type \nFROM sys.database_principals \nWHERE type_desc like 'external%'\n```\n\nAdd the necessary permissions to the user:\n\n```sql\nALTER ROLE db_datareader ADD MEMBER [app-contoso-8hkgb];\nALTER ROLE db_datawriter ADD MEMBER [app-contoso-8hkgb];\nALTER ROLE db_ddladmin ADD MEMBER [app-contoso-8hkgb];\nGO\n```\n\n## Deploy the application\n\nEnter the application directory, then build and deploy the application:\n\n```sh\nbash build.sh\naz webapp deploy -g rg-contoso-8hkgb -n app-contoso-8hkgb --type zip --src-path ./bin/webapi.zip\n```\n\nOnce deployed, test the database connectivity:\n\n```sh\ncurl \u003cappservice\u003e/api/icecream\n```\n\n## Virtual Machine + Docker\n\n\u003e [!NOTE]\n\u003e Steps for this configuration are detailed in [this][5] article. SQL Server authentication with [service principle][6] is used.\n\nTo create the Virtual Machine, change the control variable and `apply`.\n\n```terraform\nenable_virtual_machine = true\n```\n\n\u003e [!IMPORTANT]\n\u003e Repeat the steps below for the service principal. Steps also detailed in the App Services section to authorized the service principal authentication to the database.\n\n```sql\n-- master\nCREATE LOGIN [docker-containers] FROM EXTERNAL PROVIDER\n-- database\nCREATE USER [docker-containers] FROM LOGIN [docker-containers]\nALTER ROLE db_datareader ADD MEMBER [docker-containers];\nALTER ROLE db_datawriter ADD MEMBER [docker-containers];\nALTER ROLE db_ddladmin ADD MEMBER [docker-containers];\n```\n\nCheck if Docker and the Azure CLI installation was successful.\n\nBuild and push the application to the container registry:\n\n```sh\nexport acr=\"crcontosojqanh\"\n```\n\nLogin to ACR using the Virtual Machine [identity][3]:\n\n\u003e [!TIP]\n\u003e Make sure to add `sudo` to the login or other ACR commands will fail like in [here][4].\n\n```sh\nsudo az login --identity\nsudo az acr login --name crcontosojqanh\n```\n\nRun the container to make sure the Docker engine and ACR pull are working\n\n```sh\nsudo docker pull crcontosojqanh.azurecr.io/icecream:latest\nsudo docker run -p 8080:8080 crcontosojqanh.azurecr.io/icecream:latest\n```\n\nGet the connectivity configuration:\n\n```sh\nmkdir /tmp/icecream-webapi\n```\n\nCopy the configuration from Key Vault:\n\n```sh\naz keyvault secret show -n docker-container-config --vault-name kv-contoso-jqanh --query \"value\" --output tsv\n```\n\nSave it locally:\n\n```sh\nnano /tmp/icecream-webapi/config.json\n```\n\nRun the container:\n\n```sh\n# Run from the configuration directory\nsudo docker run -p 8080:8080 -v \"$(pwd):/app\" -e CONFIG_FILE=/app/config.json crcontosojqanh.azurecr.io/icecream:latest\n```\n\nIf necessary, here's a command to create/reset secrets:\n\n```sh\n# Identifier uri, application id, or object id\naz ad app credential reset --id 00000000-0000-0000-0000-000000000000 --append\n```\n\n## Database-level roles\n\nWhen creating database users, SQL offers native [database-level roles][1]. Commands below are based off of [this][2] article.\n\nRun it from the `master` database:\n\n```sql\n-- create SQL login in master database\nCREATE LOGIN [USERNAME]\nWITH PASSWORD = '*****';\n```\n\nNow, from the application database:\n\n```sql\n-- add database user for login [USERNAME]\nCREATE USER [USERNAME]\nFROM LOGIN [USERNAME]\nWITH DEFAULT_SCHEMA=dbo;\n```\n\nAssign roles:\n\n```sql\n-- add user to database role(s)\nALTER ROLE db_ddladmin ADD MEMBER [USERNAME];\nALTER ROLE db_datawriter ADD MEMBER [USERNAME];\nALTER ROLE db_datareader ADD MEMBER [USERNAME];\n```\n\nUser is ready. It is necessary to inform the database name during authentication.\n\n\n## Clean-up\n\nDelete the Azure resources:\n\n```sh\nterraform destroy -auto-approve\n```\n\n## Reference\n\n- [Create and utilize Microsoft Entra server logins](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-logins-tutorial?view=azuresql)\n- [Connect to Azure databases from App Service without secrets using a managed identity](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database?tabs=sqldatabase%2Csystemassigned%2Cnetfx%2Cwindowsclient)\n- [Setup a Microsoft Azure SQL Database Service Principal](https://querysurge.zendesk.com/hc/en-us/articles/5068382921869-Setup-a-Microsoft-Azure-SQL-Database-Service-Principal-Versions-9-0)\n\n[1]: https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles\n[2]: https://www.sqlnethub.com/blog/creating-azure-sql-database-logins-and-users/\n[3]: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-managed-identity\n[4]: https://github.com/Azure/acr/issues/367#issuecomment-614232197\n[5]: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli\n[6]: https://learn.microsoft.com/en-us/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver16#using-service-principal-authentication\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faz-appserv-sql-passwordless","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Faz-appserv-sql-passwordless","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faz-appserv-sql-passwordless/lists"}