[FEATURE REQ] Support Workload Identity Auth for Azure Postgresql

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.

MIT License

2.36k stars 2k forks source link

[FEATURE REQ] Support Workload Identity Auth for Azure Postgresql #39540

Open mschmidt291 opened 8 months ago

mschmidt291 commented 8 months ago

Is your feature request related to a problem? Please describe. The azure-identity-extension library currently does not support the usage of Workload Identity and only supports Managed Identity.

Describe the solution you'd like Azure Workload Identity should be implemented into azure-identity-extensions. It is already implemented for the normal azure-identity which is a dependency of azure-identity-extensions.

Describe alternatives you've considered Only alternative feasible for us would be the usage of Certificates, but we would like the workload identity to work

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

[x] Description Added
[x] Expected solution specified

github-actions[bot] commented 8 months ago

@billwert @g2vinay

github-actions[bot] commented 8 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

billwert commented 7 months ago

Hello @mschmidt291

Thanks for the report! We'll take a look at this and get back to you soon.

mschmidt291 commented 7 months ago

Hello @mschmidt291

Thanks for the report! We'll take a look at this and get back to you soon.

Thanks for the speedy response. Let me know if you need additional Input from me or more specific details.

joshfree commented 7 months ago

Tagging as 'Discuss in Office Hours' /cc @scottaddie @christothes

mschmidt291 commented 7 months ago

@joshfree @scottaddie @christothes Any updates here ?

billwert commented 6 months ago

Hello @mschmidt291! Apologies for the delay.

We need to do some further investigation of this feature request. We're going to do so over the next few months. This is not something we're going to get to and ship quickly. We appreciate the suggestion and will see what we can do!

pdefreitas commented 2 months ago

azure-identity-extension version 1.1.19 is still impacted by this.

Use case: using azure-identity-extension in a AKS environment with Microsoft Entra Workload ID to connect Java applications to oss-rdbms such as PSQL and MySQL.

Edit:

The funny part is that spring-cloud-azure-starter-jdbc-postgresql works just fine with a Workload identity. However that is problematic for non-Spring workloads.

billwert commented 1 month ago

Hi folks,

Can you try authenticating in your environment with DefaultAzureCredential as outlined here?

DAC contains WorkloadIdentityCredential, so I would expect it to work. I'd love to know if you've tried this, and how it failed if it does.

If this does work for you I will make sure we update the documentation for this to be clearer about what DAC is doing for you in this case.

github-actions[bot] commented 1 month ago

Hi @mschmidt291. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

mschmidt291 commented 1 month ago

Hi folks,

Can you try authenticating in your environment with DefaultAzureCredential as outlined here?

DAC contains WorkloadIdentityCredential, so I would expect it to work. I'd love to know if you've tried this, and how it failed if it does.

If this does work for you I will make sure we update the documentation for this to be clearer about what DAC is doing for you in this case.

Thanks for the hint Bill. I forwarded the request to our development team and will provide feedback here once I got an update.

MedAnd commented 1 week ago

Hi @billwert,

Any update on this issue? Our engineers are also experiencing problems attempting to connect Java microservices to PostgreSQL Flexible Server with your JDBC plugin, running under an AKS Service Account, Federated with a Managed Identity.

Wanted to confirm our scenario is or isn't supported for Azure PostgreSQL Flexible Server?

PS. The documentation does not mention this anywhere as a limitation.

pdefreitas commented 1 week ago

@MedAnd we've the same setup and that scenario works fine with DefaultCredentials but note that #39393 may impact your setup. Example above: https://github.com/Azure/azure-sdk-for-java/issues/39540#issuecomment-2398097608

MedAnd commented 1 week ago

Hi @pdefreitas - just to confirm I understand, when using MS Entra Workload ID with an AKS Service Account, which is Federated to a User Assigned Identity, we need to configure our Java / JDBC properties as per Authenticating with DefaultAzureCredential?

billwert commented 1 week ago

Thanks for confirming the scenario works with DefaultAzureCredential, @pdefreitas. @mschmidt291 were you able to confirm if it fixes it for you?

@MedAnd Yes, I believe that should work. Using DefaultAzureCredential will land on WorkloadIdentityCredential in a properly configured environment.

github-actions[bot] commented 1 week ago

Hi @mschmidt291. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

MedAnd commented 1 week ago

Hi @billwert - still having an issue and are following Authenticating with DefaultAzureCredential

using Azure Identity client library for Java - version 1.14.2
using a Java properties file to configure properties and not via Java code
using an AKS Service account Federated to a User Assigned Identity which has been granted access to the Azure PostgreSQL Flexible Server
Java container running under the AKS Service account

Are you able to confirm a Java properties file is supported with DefaultAzureCredential?

Can you provide an example of the following in Java properties file equivalent, specifically what should be used as the value of YOUR_POSTGRESQL_USERNAME?

properties.put("user","${YOUR_POSTGRESQL_USERNAME}@${AZ_DATABASE_NAME}");

billwert commented 1 week ago

@MedAnd

Is it possible to collect some logs? Please enable logging as described here.

this will show us what credential type is being attempted and what might have gone wrong with it.

github-actions[bot] commented 1 day ago

Hi @mschmidt291, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

mschmidt291 commented 1 day ago

/unresolve

mschmidt291 commented 1 day ago

Thanks for confirming the scenario works with DefaultAzureCredential, @pdefreitas. @mschmidt291 were you able to confirm if it fixes it for you?

@MedAnd Yes, I believe that should work. Using DefaultAzureCredential will land on WorkloadIdentityCredential in a properly configured environment.

I was not able to confirm this yet unfortunately. But due to #39393 it seems like it is still not usable for production.