Reputation: 496
Accessing azure sql db from AKS cluster using AAD authentication
I am able to access sql server azure from my .net core application running in app service by using AAD authentication. To be able to do so it was necessary to register user assigned managed identity in sql server and it was done by following steps in this article . In addition, it was necessary to specify AzureServicesAuthConnectionString (RunAs=App;AppId=c5309486-960d-46f4-bbea-XXX) to allow applicaiton code to request authentication token from Azure token provider, more info here
Now I am trying to migrate my application into AKS cluster. I am following instructions from https://www.cloudiqtech.com/implementing-azure-ad-pod-identity-in-aks-cluster/ to install Azure identity into cluster by using kubernetess application https://github.com/Azure/aad-pod-identity After all configuration was created, I also added AzureServicesAuthConnectionString to config map but the application fails with the following message :
An error occurred seeding the DB.
System.AggregateException: One or more errors occurred. (Parameters: Connection String: RunAs=App;AppId=a349660d-cbfd-45fc-a917-XXX, Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. The operation was canceled.)
---> Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=a349660d-cbfd-45fc-a917-XXX, Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. The operation was canceled.
at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthResultAsyncImpl(String resource, String authority, Boolean forceRefresh, CancellationToken cancellationToken)
at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId, Boolean forceRefresh, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at MvcMovie.DataAccess.MovieContext..ctor(DbContextOptions`1 options)
at MvcMovie.DataAccess.SeedData.Initialize(IServiceProvider serviceProvider)
at MvcMovie.Program.Main(String[] args)
Upvotes: 1
Views: 2071
Answers (1)
Reputation: 496
From AAD Pod Identity for Kubernetes documentation: AKS and aks-engine clusters require an identity to communicate with Azure. This identity can be either a managed identity (in the form of system-assigned identity or user-assigned identity) or a service principal. This section explains various role assignments that need to be performed before using AAD Pod Identity. Without the proper role assignments, your Azure cluster will not have the correct permission to assign and un-assign identities from the underlying virtual machines (VM) or virtual machine scale sets (VMSS).
I was missing the following role assignemt to the cluster system assigned managed identity:"Managed Identity Operator", "Virtual Machine Contributor"
In addition the user assigned managed identity that accesses data bases needs to be created within the same resource group that AKS cluster was created in.
Upvotes: -1
Related Questions
- How to use AKS managed identity in ArgoCD to connect to ACR?
- Connecting to Azure SQL from App Service using AAD identity
- How to configure AKS deployment to make an ASP.NET app able to connect to an Azure SQL database
- Use User assigned identity to AKS cluster using ARM template
- Azure SQL AAD authentication for application from other tenant
- Azure SQL and AAD Authentication
- Trying to get AAD and Azure SQL Authentication Working
- Azure AKS cluster admin access
- Kubernetes service connections in azure devops w/ AAD bound AKS cluster
- Kubernetes and AAD authentication