Guidance on how to do password-less login using Azure Service Principal or Managed Identity

sivawba commented 2 years ago

Issue

We are trying to port a Rails application to Azure cloud and would like to use Azure Service Principal or Managed Identity instead of the database.yml username/password, while connecting to Azure SQL-MI

Is it possible to do this without specifying username/password in database.yml by using access_token from Azure IMDS endpoint as shown here for Python?

Any pointers on how to accomplish this would be greatly helpful. Thanks again for a great library that is helping us move forward with the port.

Expected behavior

Login to Azure SQLServer MI without providing username/password in database.yml

Actual behavior

Not sure how to proceed or whether this can be done

Details

Rails version: 5.2.3
SQL Server adapter version: 5.2.0
TinyTDS version: 2.1.5

FreeTDS details: 1.1.24

 MS db-lib source compatibility: no
    Sybase binary compatibility: no
                  Thread safety: yes
                  iconv library: yes
                    TDS version: 7.3
                          iODBC: no
                       unixodbc: no
          SSPI "trusted" logins: no
                       Kerberos: no
                        OpenSSL: yes
                         GnuTLS: no
                           MARS: yes

Michoels commented 1 year ago

This isn't supported by FreeTDS yet. I opened an issue for it here

Michoels commented 2 months ago

Update: The azure-blob gem just added support for Entra ID (Managed Identity) in release 0.5.0. So obtaining a valid auth token from Entra ID in Ruby is now a solved problem.

We can't take advantage of that yet, as FreeTDS still does not support Entra ID.

See TinyTDS issue 512

rails-sqlserver / activerecord-sqlserver-adapter