Authorizing Managed Service Identity in Azure SQL Database · Jos van der Til

When trying to deploy a simple web application and Azure SQL database through Azure DevOps pipelines, I wanted to use a system managed application identity to authorize the web application to access the database. This requires running something like the following SQL script on the Azure SQL database.

CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];

I was having a lot of trouble getting the Azure SqlCmd task to work, while the error(s) it was showing was not helpful at all. For example:

Failed to reach SQL server <server-address>,1433. One or more errors occurred.
Error Message : System.Management.Automation.ActionPreferenceStopException: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: One or more errors occurred.
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Message To Parse: System.Management.Automation.ActionPreferenceStopException: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: One or more errors occurred.
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

Apparently ‘One or more errors occurred’ is the best it could show me most of the time. So, I created a small tool (available on GitHub) that would authorize the identity for me.

Running from Azure DevOps

Since the database is protected by a firewall, I have to add the Azure DevOps agent IP address to the firewall rules temporarily. The easiest way I could think of was running a PowerShell script to set a variable.

$clientIp = (curl https://icanhazip.com).Content

Write-Host "##vso[task.setvariable variable=Agent.IpAddress;]$clientIp"
Write-Host Agent IP: $clientIp

Followed by an Azure CLI command step that will create the firewall rule.

az sql server firewall-rule create --start-ip-address $(Agent.IpAddress) `
                                   --end-ip-address $(Agent.IpAddress) `
                                   --server $(SqlServerName) `
                                   --resource-group $(ResourceGroupName) `
                                   --name $(SqlServerFirewallRuleName)

Then I can run my authorization tool to get the database set up.

.\AzureSqlAppIdentityAuthTool.exe --connection-string "$(SqlServerInstallConnectionString)" `
                                  --identity $(AppServerAppName) `
                                  --no-ddladmin

I do not want to allow the agent IP address forever, so I added an Azure CLI step to clean it up after I am done.

az sql server firewall-rule delete --name $(SqlServerFirewallRuleName) `
                                   --resource-group $(ResourceGroupName) `
                                   --server $(SqlServerName)

This is set to run ‘Even if a previous task has failed, even if the deployment was canceled’ so that it should always run.

To check the permissions for the identity you can use the following query:

SELECT [member].[name] AS username, 
       [role].[name] AS rolename
  FROM [sys].[database_role_members]
       JOIN [sys].[database_principals] [role] 
       ON [role_principal_id] = [role].principal_id

       JOIN [sys].[database_principals] [member] 
       ON [member_principal_id] = [member].principal_id

 WHERE [member].[name] = '<identity name>'

I hope this saves someone from going through the SqlCmd pain I went through before giving up and writing something myself.

Comments

1 responses

Nico
11 November 2020
Hi,
I stumbled upon your article while searching how the hell we should create a user in an Azure SQL database via DevOps. As none of the options seem to work. ‘Authenticate’ property unsupported in powershell 5 and up. Integrated security uses agent identity instead of service connection and a sql user just isn’t allowed to run the ‘from external provider’ I see you use an EXE for this. Is this EXE part of your build and you run it from the azure agent if I read it correctly?

Jos van der Til
11 November 2020
Hi Nico,
You understand correctly, I am running the EXE from the Azure DevOps agent. Unfortunately, I don’t think it is possible to use the service connection as an authentication mechanism towards Azure SQL. I believe I researched that a little bit, but it breaks down when trying to access the AzureSQL itself. Have you checked out the GitHub repository I linked in the post: https://github.com/jvandertil/AzureSqlAppIdentityAuthTool ? There is a README in the repository that might shed some light on how it actually works, plus it includes the source code for the EXE I mention in the post.
I hope this helps you out, if not feel free to reach out again.

Nico
12 November 2020
Well, we are running into an issue on adding the firewall rule which seems to fail. The code above is always giving (missing parameter –end-ip-address), so we refactored it to the new way to do so, using Invoke-WebRequest to get the IP, but this one is giving the ‘run az login’ error we are still looking into However for the next step, I would assume that instead of using the EXE, we could just as well do it in powershell v4, using the System.Data.SqlClient in powershell

Jos van der Til
12 November 2020
It sounds like you are running the retrieving of the IP address and adding the firewall rule in 1 step. As it is presented here you will have to use 2 steps, or adjust the code to use a PowerShell variable instead of a Azure DevOps variable (slightly different syntax).
Since you are getting errors indicating that ‘az’ is not logged in, it sounds like you are running the az command in something else than a Azure CLI step (see the Microsoft Docs for more). Make sure that you use the Azure CLI step, then Azure DevOps will use the service connection to log you in to Azure, and then the ‘az’ command will work.
I’ll see if I can find some time to add an example Azure DevOps pipeline, either here or in the repository.

Nico
13 November 2020
Hi Jos,
You were correct. We now added the firewall rule and this works, but when executing the query and opening the connection string, we can’t get connected because of System.Management.Automation.MethodInvocationException: Exception calling “Open” with “0” argument(s): “One or more errors occurred.” —> System.AggregateException: One or more errors occurred. —> System.AggregateException: One or more errors occurred. —> AdalException: Could not discover a user realm.
We tried adding a new user via on-premise AD that syncs to AAD, an account created in AAD, and with the sql admin account that is being created when setting up the sql server through ARM templates. Seems everyone struggles with this stuff