Azure AD/Entra authentication for passwordless connection to HASURA_GRAPHQL_DATABASE_URL using postgres databases

[guidooliveira]

Is your proposal related to a problem?

When deploying Hasura on azure as either a container app or a Kubernetes deployment, we still have to have a username and password when connecting to postgres databases. Adding support for hasura to initialize the GRAPHQL and METADATA DBs using azure Managed Identities or Workload Identity for passwordless connections. This would greatly simplify management of local users and passwords and their lifecycle while also improving on security.

Describe the solution you'd like

native support for Azure AD authentication using DefaultCredential (supports Workload Identity, System Assigned managed identity, azure cli, etc) for the database connection.

Describe alternatives you've considered

Proxy application that hasura connects to and handles the azure AD token lifecycle instead of hasura. Sidecar container that writes the connectionstring to a file and refreshes it every x minutes that the hasura contrainer reads with the dynamic-file

[manasag]

Hi @guidooliveira,

This is supported using the Dynamic secrets feature as documented here https://hasura.io/docs/latest/security/dynamic-secrets/ . With this feature, you can set secrets that are short lived in nature via a mounted file in Hasura container. The secret need to be a full postgres URL for it to integrate with Hasura. Some of our users have written their sidecar containers for exactly the same purpose and integrated well with this feature.

Please do note that as per documentation, the configuration for setting the file location is a bit different for Metadata Database and GraphQL database.