search

microsoft / DacFx

DacFx, SqlPackage, and other SQL development libraries enable declarative database development and database portability across SQL versions and environments. Share feedback here on dacpacs, bacpacs, and SQL projects.
https://aka.ms/sqlpackage-ref
MIT License
348 stars 20 forks source link

AccessToken expiration #293

Open marty-buly opened 1 year ago

marty-buly commented 1 year ago

Steps to Reproduce:

  1. Obtain SPN token from AAD (db_access_token=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' https://login.microsoftonline.com/***/oauth2/v2.0/token -d 'client_id=$(db-migration-spn-client-id)' -d 'grant_type=client_credentials' -d 'scope=https://database.windows.net%2F.default' -d 'client_secret=$(db-migration-spn-client-secret)' | jq -r '.access_token'))
  2. Export database (sqlpackage /Action:Export /TargetFile:"${TEMP_PATH}/${{ parameters.databaseName }}-$(currentDate).bacpac" /SourceConnectionString:"Server=tcp:${{ parameters.sourceSqlServer }},1433;Initial Catalog=${{ parameters.databaseName }};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30" /AccessToken:$db_access_token /p:CommandTimeout=3600)
  3. In case export takes longer as is validity of the AccessToken it starts to log (*** Login failed for user ''. Token is expired.)

Did this occur in prior versions? If not - which version(s) did it work in? NA

SqlPackage

dzsquared commented 1 year ago

SqlPackage is consuming the token you provide, it cannot renew the token. For long running operations, Managed Identity is especially recommended: https://learn.microsoft.com/sql/tools/sqlpackage/sqlpackage#managed-identity