Open mitchdenny opened 1 week ago
I think this is by design. You need to change app code to make managed identity work with npgsql
From the docs on AddAzurePostgresFlexibleServer
See also https://devblogs.microsoft.com/dotnet/using-postgre-sql-with-dotnet-and-entra-id/
I wonder if we should augment the connection string so that we can do this automatically for folks.
I think there’s definitely more work to do here. I’m not sure what that work is yet though. The only thing that makes this seamless is a client integration. I think we will end up there.
@tg-msft has an idea on how we can make an abstraction of the Azure SDK's TokenCredential - see ClientModel: Add cloud-agnostics OAuth credential to System.ClientModel (Azure/azure-sdk-for-net#42852).
You would still need to change our app code, but it would be much simpler:
new DefaultAzureCredential()
.cc @annelo-msft
I still think we need to make a client integration for azure postgres and redis. Now that we have this first class managed identity support, it's clear this is a rough edge that every customer will need to figure out. What makes it harder with aspire is that local dev will work, and deployment will fail. On top of that, if you do change the application to support managed identity, then running as a container will fail.
The client integration should seamlessly handle the shift from local dev to deployed in each situation.
See also https://devblogs.microsoft.com/dotnet/using-postgre-sql-with-dotnet-and-entra-id/
I recognise that blog 😉.
Enabling managed identity on Azure Postgres is a little tricky as you have to initially provision the resource with a username/password and then run a SQL script to configure the managed identity access on the database (which then would allow you to delete the default admin account). This isn't something that would be easy to do in Aspire as it'd require running some custom SQL scripts via Bicep post deployment. We have all that in https://github.com/microsoft/azure-openai-service-proxy/ if you need a reference.
This isn't something that would be easy to do in Aspire as it'd require running some custom SQL scripts via Bicep post deployment.
Deployment script 😄
Enabling managed identity on Azure Postgres is a little tricky as you have to initially provision the resource with a username/password and then run a SQL script to configure the managed identity access on the database (which then would allow you to delete the default admin account).
The Aspire.Hosting.Azure.PostgreSQL library has been updated to enable Entra ID by default in .NET Aspire 9. It is much easier to do with the latest Azure bits. See
Results in bicep:
This isn't something that would be easy to do in Aspire as it'd require running some custom SQL scripts via Bicep post deployment.
Deployment script 😄
Yes, that's what's needed to be done - https://github.com/microsoft/azure-openai-service-proxy/blob/main/infra/db-seed.bicep
Enabling managed identity on Azure Postgres is a little tricky as you have to initially provision the resource with a username/password and then run a SQL script to configure the managed identity access on the database (which then would allow you to delete the default admin account).
The Aspire.Hosting.Azure.PostgreSQL library has been updated to enable Entra ID by default in .NET Aspire 9. It is much easier to do with the latest Azure bits.
Does that configure the permissions on the databases that are deployed as well? We found we had to do this https://github.com/microsoft/azure-openai-service-proxy/blob/main/database/setup.sql to support it when building out the AI Proxy to configure the permissions correctly, otherwise while Entra was enabled it wasn't actually the right permissions.
Does that configure the permissions on the databases that are deployed as well?
If you create the database with Aspire, yes. At least it works to query and insert to the database in the apps that I have made with it.
We found we had to do this https://github.com/microsoft/azure-openai-service-proxy/blob/main/database/setup.sql to support it
That script is creating the database on line 4. With Aspire, the database is created in the same bicep as the server.
Is there an existing issue for this?
Describe the bug
Using the
WaitForSandbox.AppHost
with the following code (just replaceProgram.cs
):The main change is that instead of using a local container I want to use the Azure Provisioner. What I'm seeing is that when I launch the app host, the dbsetup program returns an error when trying to connect to the database:
If I look at the connection string this is what I see (with redactions):
Obviously the password is missing - but this should be using token auth now right so that shouldn't be a problem?
Expected Behavior
Using Azure Provisioner I should be able to create an Azure Postgres Flexible Server and connect to it using a token credential.
Steps To Reproduce
See above.
Exceptions (if any)
.NET Version info
No response
Anything else?
No response