https://github.com/epomatti/az-appserv-sql-passwordless

App Service passwordless connectivity to Azure SQL Database using system-assigned managed identity.
https://github.com/epomatti/az-appserv-sql-passwordless

aad appservice aspnetcore azure azure-ad dotnet dotnet-core entra passwordless sqldatabase

Last synced: about 2 months ago
JSON representation

App Service passwordless connectivity to Azure SQL Database using system-assigned managed identity.

• Host: GitHub
• URL: https://github.com/epomatti/az-appserv-sql-passwordless
• Owner: epomatti
• License: mit
• Created: 2023-03-30T22:45:28.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-07-10T18:19:08.000Z (10 months ago)
• Last Synced: 2025-01-17T18:34:38.197Z (3 months ago)
• Topics: aad, appservice, aspnetcore, azure, azure-ad, dotnet, dotnet-core, entra, passwordless, sqldatabase
• Language: HCL
• Homepage:
• Size: 65.4 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# App Services passwordless SQL Database connection

App Service passwordless authentication to Azure SQL Database with Microsoft Entra authentication.

## Infrastructure

Copy the `.auto.tfvars` template file:

```sh

cp infra/config/template.tfvars infra/.auto.tfvars

```

Create the VM SSH keys:

```sh

mkdir infra/keys

ssh-keygen -f infra/keys/temp_key

chmod 600 infra/keys/temp_key

```

Create the infrastructure:

```sh

terraform -chdir="infra" init

terraform -chdir="infra" apply -auto-approve

```

> [!NOTE]

> App Service health checks will show as unhealthy until the app is deployed, as the health check path is configured to be at `/healthz`.

## Permissions: App Service

Whe using **System-Assigned** managed identity, the configuration uses the App Service **name** as login.

### SQL Server

Create the login from an external provider:

```sql

USE master

CREATE LOGIN [app-contoso-8hkgb] FROM EXTERNAL PROVIDER

GO

```

Check the server login:

```sql

SELECT name, type_desc, type, is_disabled 

FROM sys.server_principals

WHERE type_desc like 'external%'  

```

### SQL Database

Create the database user associated with the external login:

```sql

CREATE USER [app-contoso-8hkgb] FROM LOGIN [app-contoso-8hkgb]

GO

```

Check the database user:

```sql

SELECT name, type_desc, type 

FROM sys.database_principals 

WHERE type_desc like 'external%'

```

Add the necessary permissions to the user:

```sql

ALTER ROLE db_datareader ADD MEMBER [app-contoso-8hkgb];

ALTER ROLE db_datawriter ADD MEMBER [app-contoso-8hkgb];

ALTER ROLE db_ddladmin ADD MEMBER [app-contoso-8hkgb];

GO

```

## Deploy the application

Enter the application directory, then build and deploy the application:

```sh

bash build.sh

az webapp deploy -g rg-contoso-8hkgb -n app-contoso-8hkgb --type zip --src-path ./bin/webapi.zip

```

Once deployed, test the database connectivity:

```sh

curl /api/icecream

```

## Virtual Machine + Docker

> [!NOTE]

> Steps for this configuration are detailed in [this][5] article. SQL Server authentication with [service principle][6] is used.

To create the Virtual Machine, change the control variable and `apply`.

```terraform

enable_virtual_machine = true

```

> [!IMPORTANT]

> Repeat the steps below for the service principal. Steps also detailed in the App Services section to authorized the service principal authentication to the database.

```sql

-- master

CREATE LOGIN [docker-containers] FROM EXTERNAL PROVIDER

-- database

CREATE USER [docker-containers] FROM LOGIN [docker-containers]

ALTER ROLE db_datareader ADD MEMBER [docker-containers];

ALTER ROLE db_datawriter ADD MEMBER [docker-containers];

ALTER ROLE db_ddladmin ADD MEMBER [docker-containers];

```

Check if Docker and the Azure CLI installation was successful.

Build and push the application to the container registry:

```sh

export acr="crcontosojqanh"

```

Login to ACR using the Virtual Machine [identity][3]:

> [!TIP]

> Make sure to add `sudo` to the login or other ACR commands will fail like in [here][4].

```sh

sudo az login --identity

sudo az acr login --name crcontosojqanh

```

Run the container to make sure the Docker engine and ACR pull are working

```sh

sudo docker pull crcontosojqanh.azurecr.io/icecream:latest

sudo docker run -p 8080:8080 crcontosojqanh.azurecr.io/icecream:latest

```

Get the connectivity configuration:

```sh

mkdir /tmp/icecream-webapi

```

Copy the configuration from Key Vault:

```sh

az keyvault secret show -n docker-container-config --vault-name kv-contoso-jqanh --query "value" --output tsv

```

Save it locally:

```sh

nano /tmp/icecream-webapi/config.json

```

Run the container:

```sh

# Run from the configuration directory

sudo docker run -p 8080:8080 -v "$(pwd):/app" -e CONFIG_FILE=/app/config.json crcontosojqanh.azurecr.io/icecream:latest

```

If necessary, here's a command to create/reset secrets:

```sh

# Identifier uri, application id, or object id

az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --append

```

## Database-level roles

When creating database users, SQL offers native [database-level roles][1]. Commands below are based off of [this][2] article.

Run it from the `master` database:

```sql

-- create SQL login in master database

CREATE LOGIN [USERNAME]

WITH PASSWORD = '*****';

```

Now, from the application database:

```sql

-- add database user for login [USERNAME]

CREATE USER [USERNAME]

FROM LOGIN [USERNAME]

WITH DEFAULT_SCHEMA=dbo;

```

Assign roles:

```sql

-- add user to database role(s)

ALTER ROLE db_ddladmin ADD MEMBER [USERNAME];

ALTER ROLE db_datawriter ADD MEMBER [USERNAME];

ALTER ROLE db_datareader ADD MEMBER [USERNAME];

```

User is ready. It is necessary to inform the database name during authentication.

## Clean-up

Delete the Azure resources:

```sh

terraform destroy -auto-approve

```

## Reference

- [Create and utilize Microsoft Entra server logins](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-logins-tutorial?view=azuresql)

- [Connect to Azure databases from App Service without secrets using a managed identity](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database?tabs=sqldatabase%2Csystemassigned%2Cnetfx%2Cwindowsclient)

- [Setup a Microsoft Azure SQL Database Service Principal](https://querysurge.zendesk.com/hc/en-us/articles/5068382921869-Setup-a-Microsoft-Azure-SQL-Database-Service-Principal-Versions-9-0)

[1]: https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles

[2]: https://www.sqlnethub.com/blog/creating-azure-sql-database-logins-and-users/

[3]: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-managed-identity

[4]: https://github.com/Azure/acr/issues/367#issuecomment-614232197

[5]: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli

[6]: https://learn.microsoft.com/en-us/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver16#using-service-principal-authentication