Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add | Add FIC + MSI support #2557

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Add | Add FIC + MSI support #2557

wants to merge 5 commits into from

Conversation

yhvicey
Copy link

@yhvicey yhvicey commented Jun 7, 2024

Resolves #2556.

This PR adds support for authenticating Azure SQL Server using federated identity credentials (FIC) and managed identity (MSI). It provides similar functionality as the ActiveDirectoryWorkloadIdentity, but supports using managed identity directly.

It will use values from below environments to finish authentication process:

  • AZURE_CLIENT_ID, the client id of multi-tenant Microsoft Entra App id, may be overridden by User Id.
  • AZURE_TENANT_ID, the tenant id where target resource locates.
  • AZURE_MSI_CLIENT_ID, the client id of managed identity.

Note: The first two environment variables are defined in Azure.Identity library, the third one is newly defined.

David-Engel
David-Engel reviewed Jun 7, 2024
View reviewed changes
Copy link
Contributor

@David-Engel David-Engel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple notes for now.

...crosoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs Show resolved Hide resolved
...crosoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs Outdated Show resolved Hide resolved
@codecov Codecov
Copy link

codecov bot commented Jun 13, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 37.83784% with 46 lines in your changes missing coverage. Please review.

Project coverage is 71.71%. Comparing base (f7ab115) to head (f43f52c).
Report is 50 commits behind head on main.

Files Patch % Lines
...SqlClient/ActiveDirectoryAuthenticationProvider.cs 7.89% 35 Missing ⚠️
...nt/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs 0.00% 4 Missing ⚠️
.../netcore/src/Microsoft/Data/SqlClient/TdsParser.cs 0.00% 2 Missing ⚠️
...ent/SqlAuthenticationProviderManager.NetCoreApp.cs 0.00% 1 Missing ⚠️
...core/src/Microsoft/Data/SqlClient/SqlConnection.cs 85.71% 1 Missing ⚠️
...Data/SqlClient/SqlAuthenticationProviderManager.cs 50.00% 1 Missing ⚠️
...etfx/src/Microsoft/Data/SqlClient/SqlConnection.cs 85.71% 1 Missing ⚠️
...rc/Microsoft/Data/SqlClient/SqlConnectionString.cs 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2557      +/-   ##
==========================================
- Coverage   72.81%   71.71%   -1.11%     
==========================================
  Files         311      308       -3     
  Lines       61694    62374     +680     
==========================================
- Hits        44922    44730     -192     
- Misses      16772    17644     +872
Flag Coverage Δ
addons 92.88% <ø> (ø)
netcore 75.89% <31.03%> (-1.29%) ⬇️
netfx 69.72% <32.25%> (-0.73%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@yhvicey
Copy link
Author

yhvicey commented Jun 15, 2024

Shall we use ActiveDirectoryFederatedIdentityCredentials, or ActiveDirectoryFederatedIdentity?

@srxmsft
Copy link

srxmsft commented Jun 24, 2024

Since it might take some time for this PR to be release to Microsoft.Data.SqlClient.
For the cross tenant FIC scenario, do you suggest to manually set AccessToken or AccessTokenCallback as of now?
Is there any example we can follow?

@yhvicey
Copy link
Author

yhvicey commented Jun 24, 2024

If you're looking for a temporary workaround/solution, ping @yiwwan at Teams, I'll share workaround solution.

@David-Engel David-Engel mentioned this pull request Jul 22, 2024
Closed
@DavoudEshtehari DavoudEshtehari added this to the 6.0-preview1 milestone Aug 19, 2024
@DavoudEshtehari DavoudEshtehari added the 💡 Enhancement Issues that are feature requests for the drivers we maintain. label Aug 19, 2024
@DavoudEshtehari
Copy link
Contributor

@yhvicey I couldn't find the AZURE_MSI_CLIENT_ID environment variable in the documentation or the source code. I might be looking in the wrong places; could you please provide me with the correct links?

@yhvicey
Copy link
Author

yhvicey commented Aug 20, 2024

@DavoudEshtehari it's not official env var used by azure.identity (see PR's description), I also worried about what if azure.identity added support for MSI + FIC in the future and didn't use same env var name. Maybe we can switch to a ADO.NET specific env var name.
Or, we can add MSI + FIC in azure.identity first, then leverage it here directly, but that'll took much longer time, I expect

@DavoudEshtehari
Copy link
Contributor

@DavoudEshtehari it's not official env var used by azure.identity (see PR's description), I also worried about what if azure.identity added support for MSI + FIC in the future and didn't use same env var name. Maybe we can switch to a ADO.NET specific env var name. Or, we can add MSI + FIC in azure.identity first, then leverage it here directly, but that'll took much longer time, I expect

We usually don't accept unofficial dependencies to avoid the breaking changes.
cc @saurabh500 @David-Engel

@cheenamalhotra
Copy link
Member

Note: The first two environment variables are defined in Azure.Identity library, the third one is newly defined.

What is the plan to document this new env variable? If this is something that will take time, I would recommend converting this PR to draft or closing if this is not in plan. But the driver only consumes documented APIs, or will not expose a feature until the behavior is documented use of the same.

@DavoudEshtehari DavoudEshtehari removed this from the 6.0-preview1 milestone Aug 20, 2024
@DavoudEshtehari DavoudEshtehari marked this pull request as draft August 27, 2024 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JRahnama JRahnama JRahnama left review comments

@David-Engel David-Engel David-Engel left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
💡 Enhancement Issues that are feature requests for the drivers we maintain.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Federated Identity Credentials + Managed Identity support
7 participants
@yhvicey @srxmsft @DavoudEshtehari @cheenamalhotra @David-Engel @JRahnama @yiwwan