Azure PostgreSQL should support managed identity #5793
Assignees
Labels
area-integrations
Issues pertaining to Aspire Integrations packages
azure
Issues associated specifically with scenarios tied to using Azure
postgres
Issues related to Postgres integrations
security 🔐
Milestone
Comments
eerhardt
added
area-integrations
eerhardt
added a commit
to eerhardt/aspire
that referenced
this issue
Sep 25, 2024
- Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server. Fix dotnet#5793
8 tasks
eerhardt
added a commit
to eerhardt/aspire
that referenced
this issue
Sep 27, 2024
- Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server. Fix dotnet#5793
eerhardt
added a commit
to eerhardt/aspire
that referenced
this issue
Sep 30, 2024
- Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server. Fix dotnet#5793
eerhardt
added a commit
to eerhardt/aspire
that referenced
this issue
Sep 30, 2024
- Add a new API to replace AsAzure and PublishAsAzure. This creates an Azure resource to start, so it can be configured like other azure resources. Since this is a new API, we can use managed identity by default. - Add an API to convert managed identity to password based auth, so users can still go that route if they need to. - Add RunAsContainer following the RunAsEmulator model. This allows local development against a PostreSQL container and publish to go to a manged Azure PostgreSQL flexible server. Fix dotnet#5793
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When provisioning a PostgreSQL database server today, we use an admin user name and password. This approach isn't as secure as using managed identity.
See
We should have an option for enabling managed identity / Entra ID when provisioning PostgreSQL database servers.
One could argue that we should do this by default, in the name of security. However, the problem is that the app connecting to this database is going to have to change to follow the steps in https://devblogs.microsoft.com/dotnet/using-postgre-sql-with-dotnet-and-entra-id/. So it would break apps when they published to Azure, if the app wasn't set up to work with Entra ID.
Proposal
Add a new enum that gets passed into
.AsAzurePostgresFlexibleServer()that switches which kind of auth is used.Alternative
We could add a new extension method
.WithActiveDirectoryAuth()that disables the password based auth and switches the administrator to use managed identity.The downfall of this is that it would need to hang off
IResourceBuilder<PostgresServerResource>and if someone called it without callingAsAzurePostgresFlexibleServerfirst it wouldn't work well.cc @mitchdenny @davidfowl @tg-msft @sebastienros @radical
The text was updated successfully, but these errors were encountered: