search

microsoft / go-mssqldb

Microsoft SQL server driver written in go language
BSD 3-Clause "New" or "Revised" License
283 stars 63 forks source link

Connect using user-assigned identity via `ActiveDirectoryMSI` #222

Open alex-kuck opened 8 hours ago

alex-kuck commented 8 hours ago

Describe the bug From the README it seems like the attached code should successfully authenticate to AzureSQL via Managed Identity. However, the request fails with the attached error.

Exception message: 

GET http://169.254.169.254/metadata/identity/oauth2/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
  "error": "invalid_request",
  "error_description": "Identity not found"
}
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#managed-id

Stack trace: N/A
Screenshot 2024-10-02 at 09 38 50

To Reproduce

package db

import (
    "context"
    "database/sql"
    "fmt"
    "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
    mssql "github.com/microsoft/go-mssqldb"
    azureAd "github.com/microsoft/go-mssqldb/azuread"
)

func NewAzureSql(connection string) (db *sql.DB, err error) {  // connection: server=azuresql.database.windows.net;database=some-db;fedauth=ActiveDirectoryMSI;user id=XXX-YYY-ZZZZ;
    db, err = sql.Open(azureAd.DriverName, connection)
    return

         // The following works however
    //cred, err := azidentity.NewDefaultAzureCredential(nil)
    //if err != nil {
    //  err = fmt.Errorf("could not create default azure credential: %w", err)
    //  return
    //}
    //tokenProvider := func() (string, error) {
    //  token, err := cred.GetToken(context.TODO(), policy.TokenRequestOptions{
    //      Scopes: []string{"https://database.windows.net//.default"},
    //  })
    //  return token.Token, err
    //}
    //
    //connector, err := mssql.NewAccessTokenConnector(connection, tokenProvider)
    //if err != nil {
    //  err = fmt.Errorf("could not create access token connector: %w", err)
    //  return
    //}
    //
    //return sql.OpenDB(connector), err
}

Expected behavior Ideally - and as the README suggests 😅 - the "simple" solution should work without having to provide a token provider manually.

Further technical details

SQL Server version: Azure SQL (General Purpose - Serverless: Standard-series (Gen5), 2 vCores) Operating system: Docker container running on AKS Table schema

Additional context Versions:

github.com/microsoft/go-mssqldb v1.7.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
alex-kuck commented 6 hours ago

Quick update: I also tried with github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 and the issue still persists there.