SqlPackage Publish Support for Key Vault Token Authentication for CI/CD

[MichaelJRogersGM]

Is your feature request related to a problem? Please describe. When using ci/cd pipeline that has federated credentials we are forced to fall back to using client id and secret when using SQL Always Encrypt to access the key vault. If we could request a token and pass it in using our federated credentials we wouldn't need to use the client id and secret anymore.

Describe the solution you'd like Support for providing a key vault access token or federated identity.

Describe alternatives you've considered Reviewed documentation and not able to find any other way of accessing the key vault through a CI/CD pipeline using federation.

Additional context Current pipeline using an access token to access the database but having to fall back to client id and secret for key vault:

sqlpackage \
           /AccessToken:$(az account get-access-token --resource https://database.windows.net --query "accessToken" --output tsv) \
           /Action:Publish \
           /TargetDatabaseName:'Database' \
           /TargetServerName:'${{ vars.AZURE_SQL_SERVER }}' \
           /SourceFile:'${{ github.workspace }}/dacpac/Database.dacpac' \
           /AzureKeyVaultAuthMethod:'ClientIdSecret' \
           /ClientId:'${{ vars.AZURE_CLIENT_ID }}' \
           /Secret:'${{ secrets.AZURE_CLIENT_SECRET }}' \
           /p:BlockOnPossibleDataLoss=${{inputs.BlockOnPossibleDataLoss}} \
           /p:ExcludeObjectTypes='ColumnEncryptionKeys;ColumnMasterKeys' 

[llali]

@MichaelJRogersGM have you tried authenticating to Azure using az command first and then calling sqlpcakge (without the client and secret). sqlpackage should be able to authenticate using DefaultAzure authentication. https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet