search

Azure / sql-action

🚀 Deploy changes to your SQL database easily with SQL projects or SQL scripts and sql-action for GitHub workflows
MIT License
103 stars 58 forks source link

Error: Managed Identity: DefaultAzureCredential authentication failed #248

Open dlaatheijmans opened 1 day ago

dlaatheijmans commented 1 day ago

Hello,

I'm encountering an issue when trying to use a Managed Identity with a Federated Credential in GitHub Actions to run azure/sql-action@v2.3. The Managed Identity has been configured with a Federated Credential for GitHub (environment).

I added my Managed Identity to the database as db_owner, with the following query:

DROP USER IF EXISTS [ManagedIdentity-Dev];
CREATE USER [ManagedIdentity-Dev] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo];
ALTER ROLE db_owner ADD MEMBER [ManagedIdentity-Dev];

Here is my GitHub Actions workflow (.yml file):

    create-sql-users:
      runs-on:
        group: github-runner-Dev
      environment: ${{ inputs.environment }}
      steps:
        - uses: actions/checkout@main
        - uses: azure/login@v2
          with:
            client-id: ${{ vars.AZURE_CLIENT_ID }} # The Managed Identity with Federated Credential
            tenant-id: ${{ vars.AZURE_TENANT_ID }}
            subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
        - uses: azure/sql-action@v2.3
          with:
            connection-string: ${{ secrets.AZURE_SQL_CONNECTION_STRING }}
            path: './.github/sql/users.sql'
            skip-firewall-check: true

Issue:

When the workflow runs, I receive the following error message:

sqlcmd -S mydatabase-dev.database.windows.net,1433 -d mydatabase-dev --authentication-method=ActiveDirectoryDefault -i ./.github/sql/users.sql
DefaultAzureCredential authentication failed
GET http://localhost:42356/msi/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
  "statusCode": 400,
  "message": "No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.",
  "correlationId": "86d82795-065e-4a71-a11c-12a10e7879d0"
}

Am I missing something?

dlaatheijmans commented 23 hours ago

The error message was on my screen all the time: GET http://localhost:42356/msi/token. Apparantly, when deploying from Github Actions in a Azure Container Instance, the token endpoint is set wrong.

I added this to my yaml, and it started working:

  env:
    IDENTITY_ENDPOINT: http://169.254.169.254:42356/