Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity Support #2158

Closed
wsugarman opened this issue Sep 16, 2023 · 1 comment · Fixed by #2159
Closed

Workload Identity Support #2158

wsugarman opened this issue Sep 16, 2023 · 1 comment · Fixed by #2159

Comments

@wsugarman
Copy link
Contributor

Is your feature request related to a problem? Please describe.

With the deprecation of AAD Pod Identity, app developers working in Kubernetes have been migrating to Azure Workload Identity. The Azure.Identity library now supports a new WorkloadIdentityCredential as of version 1.9.0, and it would great to take advantage of it in the SQL client library.

While Authentication = Active Directory Default is already supported, which would include WorkloadIdentityCredential in versions >= 1.9.0, it would require a small change to help propagate a user-specified ClientId using the existing User Id property in connection strings, like it is done with managed identities today. Furthermore, it would be advantageous for client code to directly specify the use of Workload Identity, instead of having to wait for the other token mechanisms in the default credential to fail. Today the SQL client supports directly specifying managed identity using Authentication = Active Directory Managed Identity, and similarly other Azure libraries are special-casing workload identity as well. I made a similar change for the Microsoft.Extensions.Azure package to support workload identity specifically.

Describe the solution you'd like

I would like two things:

  1. The specification of ClientId via User Id in the connection string for workload identity when using Authentication = Active Directory Default
  2. A new SqlAuthenticationMethod value called ActiveDirectoryWorkloadIdentity that leverages the WorkloadIdentityCredential
    • While it could leverage new parameters in the connection string, I think we could also rely on environment variables to configure it by default, including AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_FEDERATED_TOKEN_FILE. These are the environment variables used today by the Azure.Identity library.

Describe alternatives you've considered

In my app code, I could rely on updating Azure.Identity myself to a version >= 1.9.0 and use the default credential + environment variables to leverage workload identity.

Additional context

Going forward, workload identity will be the Microsoft-recommended way to authenticate in AKS.
@wsugarman wsugarman mentioned this issue Sep 16, 2023
Merged
@JRahnama JRahnama added the 🆕 Triage Needed For new issues, not triaged yet. label Sep 18, 2023
@JRahnama
Copy link
Contributor

@wsugarman thank you for providing the proposed solution in the PR. We will get back to you on this after reviewing the PR.

@David-Engel David-Engel removed the 🆕 Triage Needed For new issues, not triaged yet. label Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
SqlClient Triage Board
Status: Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add | Add Workload Identity Support wsugarman/SqlClient
3 participants
@wsugarman @David-Engel @JRahnama