Azure Active Directory Authentication for Postgres

[mpicard]

What's the use case?

For self-hosted Dagster in Azure, typical deployments include an Azure Postgres flexible server. Recently Azure added authentication via Azure Active Directory. This eliminates the need to store a postgres password but use federated token exchange in order to connect to postgres.

References:

• https://azure.github.io/azure-workload-identity/docs/
• https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-azure-ad-authentication

Ideas of implementation

The ideal solution would leverage workload identities (i.e. k8s serviceaccount linked to an Azure Active Directory service principal) and the python class azure.identity.WorkloadIdentity to get a token, and also a mechanism to refresh the token before the expiry automatically. There are examples here.

Additional information

I am willing to help with this PR if someone can show me the dagster internal postgres architecture and point me to the best place to insert this functionality.

Message from the maintainers

Impacted by this issue? Give it a 👍! We factor engagement into prioritization.

[tacastillo]

Hi! Thanks for raising this feature request. I'll get the right person(s) to take a peek at this.

[GuillermoGarciaF]

Any updates on this?