Add support for using a managed identity to connect to Azure Database for PostgreSQL #294

MattMcL4475 · 2023-07-18T19:19:24Z

To use managed identity:

In https://github.com/broadinstitute/cromwhelm/blob/main/coa-helm/templates/tes.yaml, set:

TesPostgreSql__DatabaseUserPassword=""
TesPostgreSql__UseManagedIdentity="true"

If UseManagedIdentity is true, an exception will be thrown if DatabaseUserPassword is NOT empty.

Enable "Microsoft Entra authentication" on the PostgreSQL database
Add a "Microsoft Entra Admin" and select the managed identity
Using the original admin, you must run:

GRANT ALL PRIVILEGES ON DATABASE tes_db TO "CLIENT_ID";
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "CLIENT_ID";
GRANT ALL PRIVILEGES ON SCHEMA public TO "CLIENT_ID";

Where CLIENT_ID is the user-assigned managed identity's client ID.

TODO: create the database with an Azure AAD admin user in the deployer, then create an AAD user
TODO: provide script for creating a new AAD user after creating the AAD admin and using that instead

Reference:

https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-sign-in-azure-ad-authentication
https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-azure-ad-authentication
https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-connect-with-managed-identity

#346

…ntitySupportToPostgres

update nuget packages and initial code implementation

c92b259

MattMcL4475 changed the title ~~update nuget packages and initial code implementation~~ Add support for Managed Identity for Postgres Jul 18, 2023

MattMcL4475 changed the title ~~Add support for Managed Identity for Postgres~~ Add support for using a managed identity to connect to Azure Database for PostgreSQL Jul 18, 2023

MattMcL4475 added 16 commits July 18, 2023 12:26

refactor

3559b8b

update logic

ff1736c

refactor

820c2e0

fix connection string logic

ecc5856

rewrite for clarity

7795580

refactor

01dd40a

add new setting

cf72264

fix semicolon

e4ccb52

add note

9335a3e

add additional argument exception check

4954869

update casing

df02e60

add note about connection string check

6c827f1

Merge remote-tracking branch 'origin/main' into feature/AddManagedIde…

dd03d82

…ntitySupportToPostgres

fix formatting

1022f25

hoist maxbatchsize

e7722b0

minor formatting

7eba550

BMurri added the Needs Issue PR needs at least one associated issue label Jul 19, 2023

Merge remote-tracking branch 'origin/main' into feature/AddManagedIde…

d6d1861

…ntitySupportToPostgres

MattMcL4475 removed the Needs Issue PR needs at least one associated issue label Aug 9, 2023

MattMcL4475 requested a review from a team August 15, 2023 17:14

MattMcL4475 added 7 commits August 15, 2023 11:28

Merge remote-tracking branch 'origin/main' into feature/AddManagedIde…

1402975

…ntitySupportToPostgres

add Microsoft.EntityFrameworkCore.Relational and update packages

9bf1c3e

Merge branch 'main' into feature/AddManagedIdentitySupportToPostgres

60cbf7c

Merge remote-tracking branch 'origin/main' into feature/AddManagedIde…

866f458

…ntitySupportToPostgres

update implementation and refactor dbcontext

6441716

Merge remote-tracking branch 'origin/main' into feature/AddManagedIde…

4025abe

…ntitySupportToPostgres

update nuget

f956900

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for using a managed identity to connect to Azure Database for PostgreSQL #294

Add support for using a managed identity to connect to Azure Database for PostgreSQL #294

MattMcL4475 commented Jul 18, 2023 •

edited

Loading

Add support for using a managed identity to connect to Azure Database for PostgreSQL #294

Are you sure you want to change the base?

Add support for using a managed identity to connect to Azure Database for PostgreSQL #294

Conversation

MattMcL4475 commented Jul 18, 2023 • edited Loading

MattMcL4475 commented Jul 18, 2023 •

edited

Loading