Closed OlaDecisive closed 8 months ago
@OlaDecisive Thanks for your feedback! We will investigate and update as appropriate.
@OlaDecisive Since this issue isn't directly related to improving our docs, and to gain a better understanding of your issue, I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.
[Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
Turns out I generated the access token in the Azure Portal Cloud Shell, in other words in the context of my user logged into Azure Portal, and not in the context of the System Assigned Managed Identity.
This access token, while valid, cannot be used to authenticate Service Principals in Postgres.
When SSH'ing into the VM, I could generate the access token in the context of the System Assigned Managed Identity, and with this I managed to log into the Postgres server.
In the 'Retrieve the access token from the Azure Instance Metadata service' section you might want to clarify which context should be used, i.e. the VM shell and not the Cloud Shell.
I came across the same thing when using DefaultAzureCredential()
while testing locally. DefaultAzureCredential()
grabs my cached User Principal credentials from VS Code but I used a Managed Identity user name.
Net effect was:
my_credential.get_token(scope).token
Changing to:
me@me.org
and the connection was successful.
When trying to authenticate with a system assigned managed identity, I get this error message:
connection failed: FATAL: Service Principals cannot generate AAD_AUTH_TOKENTYPE_APP_USER tokens for role[<role name>]
The system assigned managed identity is set up on a webapp resource, and in my PostgreSQL flexible server resource I have added the identity to the Microsoft Entra Admins section on the Authentication page.
I run
export PGPASSWORD=`curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fossrdbms-aad.database.windows.net&client_id=<SystemAssignedManagedIdentityId>' -H Metadata:true | jq -r .access_token`
to get the access token, and then
psql -h <database name>.postgres.database.azure.com --user <webapp name>
to try to log in, but I get the
connection failed: FATAL: Service Principals cannot generate AAD_AUTH_TOKENTYPE_APP_USER tokens for role[<role name>]
error message.I have tried to add a regular admin user to the Microsoft Entra Admins in PostgreSql Authentication page, when using the id of that user the above method to login works fine.
When logged in, I have verified with
select * from pgaadauth_list_principals(true);
that the system assigned managed identity is added to the PostgreSQL server.Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.