Open ashic opened 3 years ago
Got some updates
This works now:
function getConfig(accessToken) {
var config = {
"authentication": {
"type": "azure-active-directory-access-token",
"options": {
"token": accessToken
},
},
"server": `${process.env.SQL_SERVER_NAME}.database.windows.net`,
"options": {
"encrypt": true,
"database": process.env.SQL_SERVER_DB_NAME,
}
};
return config;
}
where I get the access token with @azure/identity with:
const cred = new identity.DefaultAzureIdentity(); // AZURE_CLIENT_ID is set to the user assigned identity's client id
const token = await cred.getToken("https://database.windows.net/.default")
const conf = getConfig(token.token)
The following does not work for me:
function getConfigAF() {
var config = {
"authentication": {
"type": "azure-active-directory-msi-app-service",
"options": {
clientId: process.env.AZURE_CLIENT_ID,
resource: "https://database.windows.net/.default"
},
},
"server": `${process.env.SQL_SERVER_NAME}.database.windows.net`,
"options": {
"encrypt": true,
"database": process.env.SQL_SERVER_DB_NAME,
}
};
return config;
}
With this, I get Security token could not be authenticated or authorized
.
Is there something I'm missing?
Hi @ashic, I found an older issue that could be related to your issue: #1146. The root cause for this is on ms-rest-nodeauth, and they had made a fix for this. On the tedious side, Ian has made a PR that embedded their fix and this PR has been merged and released in tedious 9.2.2. You can check the detail in the #1146 comment thread. Sadly, node-mssql has not been actively maintaining for a while, so it still using a pretty old version of tedious. Could you try your code with the latest tedious without the node-mssql layer? See if this resolves the issue.
I'm using node-mssql 6.3.1, which uses tedious 6.7.0, which in turn uses @azure/ms-rest-nodeauth 3.0.6 (i.e. it's not a v2 of ms-rest-nodeauth issue). Some details about my issue:
I have a node azure function with a user assigned identity (we'll call it uid1). The uid1 is given permissions to access some storage blob and db owner (started off with limited, but trying to get it working) on an Azure SQL database.
I've created a user in the SQL database for uid1 via the following:
I've set AZURE_CLIENT_ID as an app setting to equal the client id of uid1 (not the object id).
Observations:
ConnectionError: Login failed for user '<token-identified principal>'.
ConnectionError: Security token could not be authenticated or authorized.
I've tried the following two configs:
and
Using the first, if the access token is from the principal that created the database, it works. But it doesn't if it's using the user assigned identity.
I'm thinking this is related to needing a SQL user / and permissions for the user assigned identity in the SQL database, but I've already done that. Any guidance on this will be appreciated.