search

Azure / data-api-builder

Data API builder provides modern REST and GraphQL endpoints to your Azure Databases and on-prem stores.
https://aka.ms/dab/docs
MIT License
787 stars 142 forks source link

Postgresql database connection with Workload Identity in an AKS deployment #2271

Open svanmieghem opened 1 week ago

svanmieghem commented 1 week ago

What happened?

I am able to deploy the DAB container in an AKS cluster and mount the configfile, which is loaded. Our preferred policy is to use a workload identity to authenticate with the Postgresql Flexible server database.

Connection string, via environment variable injected in dab-config.json. The client id gets replaced at deploy time via Helm:

"Host=psqlf-demo....postgres.database.azure.com;Port=5432;Database=demo;SSL Mode=Require;User Id={{.Value.serviceAccount.clientId}}"

Part of the config file: "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.1.7/dab.draft.schema.json", "data-source": { "database-type": "postgresql", "connection-string": "@env('DATABASE_CONNECTION')" }, "runtime": { "host": { "mode": "development" }

According to source code, an Azure identity is assumed when the connection string does not contain a password. Startup fails with a 28P01: password authentication failed for

I might be missing the option to explicitly inform DAB to use Azure authentication instead of regular username/password authentication.

Version

1.1.7

What database are you using?

PostgreSQL

What hosting model are you using?

Custom Docker host

Which API approach are you accessing DAB through?

REST, GraphQL

Relevant log output

info: Azure.DataApiBuilder.Core.Services.ISqlMetadataProvider[0]
      [monsters] REST path: /api/monsters
fail: Azure.DataApiBuilder.Service.Startup[0]
      Unable to complete runtime initialization. Refer to exception for error details.
      Azure.DataApiBuilder.Service.Exceptions.DataApiBuilderException: Cannot obtain Schema for entity monsters with underlying database object source: monsters.monsters due to: 28P01: password authentication failed for user "b8c2bf96-..."
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.HandleOrRecordException(Exception e) in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 100
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.PopulateObjectDefinitionForEntity(String entityName, Entity entity) in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 1116
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.PopulateObjectDefinitionForEntities() in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 1054
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.InitializeAsync() in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 289
         at Azure.DataApiBuilder.Core.Services.MetadataProviders.MetadataProviderFactory.InitializeAsync() in /_/src/Core/Services/MetadataProviders/MetadataProviderFactory.cs:line 65
         at Azure.DataApiBuilder.Service.Startup.PerformOnConfigChangeAsync(IApplicationBuilder app) in /_/src/Service/Startup.cs:line 613
fail: Azure.DataApiBuilder.Service.Startup[0]
      Could not initialize the engine with the runtime config file: dab-config.json

Code of Conduct

seantleonard commented 1 week ago

DAB only supports System Assigned managed identities at this time. There is an issue #1944 which tracks user assigned managed identities, which utilize clientID, which also seems to apply to WIF (workload identity). That's on the backlog.