data-api-builder icon indicating copy to clipboard operation
data-api-builder copied to clipboard
verified publisher icon Azure

Postgresql database connection with Workload Identity in an AKS deployment

Open svanmieghem opened this issue 1 year ago • 1 comments

What happened?

I am able to deploy the DAB container in an AKS cluster and mount the configfile, which is loaded. Our preferred policy is to use a workload identity to authenticate with the Postgresql Flexible server database.

Connection string, via environment variable injected in dab-config.json. The client id gets replaced at deploy time via Helm:

"Host=psqlf-demo....postgres.database.azure.com;Port=5432;Database=demo;SSL Mode=Require;User Id={{.Value.serviceAccount.clientId}}"

Part of the config file: "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.1.7/dab.draft.schema.json", "data-source": { "database-type": "postgresql", "connection-string": "@env('DATABASE_CONNECTION')" }, "runtime": { "host": { "mode": "development" }

According to source code, an Azure identity is assumed when the connection string does not contain a password. Startup fails with a 28P01: password authentication failed for

I might be missing the option to explicitly inform DAB to use Azure authentication instead of regular username/password authentication.

Version

1.1.7

What database are you using?

PostgreSQL

What hosting model are you using?

Custom Docker host

Which API approach are you accessing DAB through?

REST, GraphQL

Relevant log output

info: Azure.DataApiBuilder.Core.Services.ISqlMetadataProvider[0]
      [monsters] REST path: /api/monsters
fail: Azure.DataApiBuilder.Service.Startup[0]
      Unable to complete runtime initialization. Refer to exception for error details.
      Azure.DataApiBuilder.Service.Exceptions.DataApiBuilderException: Cannot obtain Schema for entity monsters with underlying database object source: monsters.monsters due to: 28P01: password authentication failed for user "b8c2bf96-..."
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.HandleOrRecordException(Exception e) in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 100
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.PopulateObjectDefinitionForEntity(String entityName, Entity entity) in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 1116
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.PopulateObjectDefinitionForEntities() in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 1054
         at Azure.DataApiBuilder.Core.Services.SqlMetadataProvider`3.InitializeAsync() in /_/src/Core/Services/MetadataProviders/SqlMetadataProvider.cs:line 289
         at Azure.DataApiBuilder.Core.Services.MetadataProviders.MetadataProviderFactory.InitializeAsync() in /_/src/Core/Services/MetadataProviders/MetadataProviderFactory.cs:line 65
         at Azure.DataApiBuilder.Service.Startup.PerformOnConfigChangeAsync(IApplicationBuilder app) in /_/src/Service/Startup.cs:line 613
fail: Azure.DataApiBuilder.Service.Startup[0]
      Could not initialize the engine with the runtime config file: dab-config.json

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

svanmieghem avatar Jun 19 '24 12:06 svanmieghem