Each of the remote execution options allows for varying use of Azure Managed Identities for authentication to supporting resources. This document shows:
- Which execution option is capable of leveraging the identity to connect to which resource
- How the identity gets associated with the execution compute type
- The configuration and/or arguments needed to instruct the use of the identity
- The Azure RBAC roles requred for the identity
| Azure Batch | Kubernetes (AKS) | Container Apps | Container Instance (ACI) | |
|---|---|---|---|---|
| Azure Key Vault | Yes | Yes, with Key Vault Identity Provider | Yes | Yes |
| SQL databases | Yes | Yes | No, see note | Yes |
| Blob Storage | No, see note | Yes | Yes | Yes |
| Service Bus | Yes | Yes | No, see note | Yes |
| Event Hub | Yes | Yes | Yes | Yes |
| Azure Container Registry | N/A | Yes, with --attach-acr |
No | No |
Examples of each of these can be generated for you by running create_azure_resources.ps1 which will create samples Azure resources (including a user assigned Managed Identity) as well as sample settings files with various options that are used in the test caes. You can also review the test methods in SqlBuildManager.Console.ExternalTest to see working examples of various compute options and settings.
The identity is assigned at the creation of the Azure Batch account. For an example, see azuredeploy_batch.bicep
The identity first must be associated with the AKS VM Scale set. You can find an example of this assignment near the bottom of this srcipt
The identity is assigned to the app at runtime in two steps. First AzureIdentity and AzureIdentityBinding resources are created in the cluster (see podIdentityAndBinding_template.yaml). Then when the SQL Build Manger job is deployed, an aadpodidbinding label is added to the job spec (see sample_job.yaml). This will tell Kubernetes to assign the identity to the job.
The Container Apps workload that is deployed via sbm containerapp deploy leverages ARM templates to deploy the workload. This ARM template contains the Managed Identity assignment (see containerapp_identity_arm_template.json. The identity information needs to be passed via the Identity options in command line or be saved in to a settings file via sbm containerapp savesettings
ACI also uses an ARM template to deploy the workload when running sbm aci deploy. This ARM template contains the Managed Identity assignment(see aci_arm_template.json). The identity information needs to be passed via the Identity options in command line or be saved in to a settings file via sbm aci savesettings
To instruct the app to pull secrets from Azure Key Vault, you need to provide the Key Vault name in the --keyvault argument of the appropriate savesettings, prep and/or deploy. Alternatively, you can simply save it to the settings file .json with the savesetting command and leverage the settings file for all subsequent commands
By default, the app uses username/password database authentication. To enable Managed Identity authentication, you will first need to add the Manged Identity as a user to the database. Once this has been done, you can direct the app to use the identity to authenticate with the --authtype ManagedIdentity flag. (As always, this can be saved in a settings file with savesettings for easier execution and reuse).
NOTE: Azure Container Apps does not currently allow for Managed Identity authentication to Azure SQL Databases
To use Managed Identity to access blob storage, simply don't provide a value for --storageaccountkey. If this is not provided, the app will default to connecting with the identity.
NOTE: Azure Batch requires the storage account key to manage storage and create SAS token URLs. The key must be provided as a settings file value, command line argument or be saved in Azure Key Vault.
To use Managed Identity to connect to Azure Service Bus, use the Service Bus namespace as the value (<name>.servicebus.windows.net) for --servicebustopicconnection.
NOTE: Azure Container Apps uses a KEDA service bus scaler to manage scaling. This does not currently allow for Managed Identity authentication, so a full Service Bus connection string is still needed.
To use Managed Identity to connect to Azure Event Hub, use the Event Hub namespace and Event Hub name as a pipe delimited value (.servicebus.windows.net) for --eventhubconnection. For example "<ehnamespace>.servicebus.windows.net|<eh name>"
Only Kubernetes is able to natively connect to the container registry without an admin username and password. This is assigned at creation or update of the cluster using the --assign-acr flag
The Managed Identity assigned to the runtime compute will need the following Azure RBAC roles assigned to the resource group or the specific services. NOTE: You can also use an identity to authenticate for the prep and enqueue steps. The identity of that user or machine will just also need these roles.
Storage Blob Data Contributor- to read the build package and save log filesKey Vault Secrets User- to pull secrets from the Key VaultAzure Service Bus Data Owner- to read messages and delete compelted Service Bus Topic SubscriptionAzure Event Hubs Data Receiver- to read events from Event HubAzure Event Hubs Data Sender- to send events to Event HubAcrPull- to pull images from Azure Container Registry
You can see an example of the assignments in set_managedidentity_rbac.ps1