How to use Federated credentials with service principal to auth the Azure resources

mkleehammer / pyodbc

Python ODBC bridge

https://github.com/mkleehammer/pyodbc/wiki

MIT No Attribution

2.88k stars 561 forks source link

How to use Federated credentials with service principal to auth the Azure resources #1362

Closed kachely26 closed 1 week ago

kachely26 commented 2 weeks ago

Please first make sure you have looked at:

Documentation: https://github.com/mkleehammer/pyodbc/wiki
Other issues

Environment

To diagnose, we usually need to know the following, including version numbers. On Windows, be sure to specify 32-bit Python or 64-bit:

Python: 3.10
pyodbc: 5.0.1
OS: linux ubuntu 18.04
DB: Azure Synapse serverless DB
driver: pyodbc

Issue

Due to security issue, I cannot use clientid + secret when I use service principal as the authentication method. Then how can I use federated credentials to do the authentication? Thank you!

Often it is easiest to describe your issue as "expected behavior" and "observed behavior".

v-chojas commented 2 weeks ago

If you're using the msodbcsql (17 or 18) driver you can give it the access token directly: https://learn.microsoft.com/en-us/sql/connect/odbc/using-azure-active-directory#authenticating-with-an-access-token

gordthompson commented 2 weeks ago

Hey @v-chojas - Would this be the same issue as documented in the wiki here

https://github.com/mkleehammer/pyodbc/wiki/Tips-and-Tricks-by-Database-Platform#authenticate-using-an-access-token-from-azure-active-directory

making this a duplicate of #228 ?

v-chojas commented 2 weeks ago

@gordthompson I wouldn't call this a duplicate without knowing more details about what the OP is trying to accomplish ("federated credentials" is vague and can refer to various things) or indeed if this is the msodbcsql driver being used.

kachely26 commented 1 week ago

Thank you so much @v-chojas and @gordthompson! I think this is what I want https://github.com/mkleehammer/pyodbc/wiki/Tips-and-Tricks-by-Database-Platform#authenticate-using-an-access-token-from-azure-active-directory Besides, when I use access token, should I set the connection as something like below? Driver={ODBC Driver 18 for SQL Server};Server={server};Authentication=ActiveDirectoryIntegrated;Encrypt=yes;? Which Authentication type should I use for access token authentication? Should I set the token when calling connect function? Is it possible to set it in the connection string? conn = pyodbc.connect(connstr, attrs_before = { 1256:bytearray(tokenstruct) })

v-chojas commented 1 week ago

Do not specify authentication mode when using access token. https://learn.microsoft.com/en-us/sql/connect/odbc/using-azure-active-directory?view=sql-server-ver16#authenticating-with-an-access-token

kachely26 commented 1 week ago

I got the access token from

https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/federated-identity-credentials?branch=main&tabs=python#msal-python

Does the access token a correct one?

I see it returns me Login failed for user \'<token-identified principal>\'. The server is not currently configured to accept this token. (18456) (SQLDriverConnect)")\n(Background on this error at: http://sqlalche.me/e/13/rvf5)

Could you provide some insights here?

v-chojas commented 1 week ago

You need to add the corresponding account on the server with CREATE USER ... FROM EXTERNAL PROVIDER