DacFx icon indicating copy to clipboard operation
DacFx copied to clipboard

Published 20 hours ago verified publisher icon microsoft

"Value cannot be null. (Parameter 'AKV')" Script Action using azure key vault column encryption

Open asrichesson opened this issue 1 year ago • 5 comments

  • SqlPackage or DacFx Version: 162.0.52.1
  • .NET Framework (Windows-only) or .NET Core: .NET Core
  • Environment (local platform and source/target platforms): Windows 10, Microsoft SQL Server 2019 (RTM-CU12) (KB5004524) - 15.0.4153.1 (X64) Jul 19 2021 15:37:34 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows 10 Home 10.0 <X64> (Build 19045: )

Steps to Reproduce:

  1. Create and deploy an ssdt database project with a single table in vs code or vs
  2. Add an azure key vault encryption master key and column encryption key
  3. Reference the encryption key on one of the columns in your table
  4. Build the database project to a dacpac
  5. use sqlpackage.exe to script the changes: sqlpackage /a:Script /tsn:"MyServer" /tdn:TestDatabase /sf:TestDatabase.dacpac /dsp:deploy.sql /drp:report.xml
  6. The following error is displayed:
Generating publish script for database 'TestDatabase' on server 'MyServer'.
Initializing deployment (Start)
Initializing deployment (Complete)
Analyzing deployment plan (Start)
Analyzing deployment plan (Failed)
-*** Value cannot be null. (Parameter 'AKV')

Adding the /akv:Interactive param used for the /a:Publish Action yields the following:

- *** 'AzureKeyVaultAuthMethod' is not a valid argument for the 'Script' action.

Instead, changing /dsp:deploy.sql to /op:deploy.sql and removing /drp:report.xml will successfully generate a script. But this means we lose the capability of generating the deploy report.

I'm aware that deploying encryption changes requires using the Publish action, but I would still like to get the script and report since we know it can be generated using /op.

I would expect one of the following:

  • A better error message if /dsp and /drp are not supported for azure key vault encryption changes.
  • Add the /akv, /cid, and the /secr params from the publish action to the script action
  • Generates the script without an error message about missing "AKV"

I have attached a demo project to reproduce. AzureKeyVaultScriptIssue.zip

Did this occur in prior versions? If not - which version(s) did it work in?

(DacFx/SqlPackage/SSMS/Azure Data Studio)

asrichesson avatar Jul 27 '23 05:07 asrichesson

the same with me

jasonvuriker avatar Sep 13 '23 07:09 jasonvuriker

Also ran into this.

It would be awesome is expand the support for key vault authentication to support an Access Token. This would allow CI/CD pipelines using federation to work without having to fall back to using client secrets to access the key vault.

Feature Request: #374

Thanks Michael

MichaelJRogersGM avatar Dec 29 '23 20:12 MichaelJRogersGM

We recently added support for DefaultAzureCredential for this feature. More Info here: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

this means without setting akv parameter, DacFx can still do the authentication for AKV using the local environment. I'm wondering if that helps with what you need @MichaelJRogersGM. @asrichesson I also verify with this change aks won't be required anymore for script and I ran the similar command to create report to verify

llali avatar Apr 26 '24 16:04 llali

you can try the latest credential support using the preview version of sqlpackage. dotnet tool insall -g Microsoft.SqlPackage --version 162.3.540-preview

llali avatar Apr 26 '24 20:04 llali

Looks good, thanks!

asrichesson avatar Apr 27 '24 16:04 asrichesson