Issues with the configure powershell script
Eonasdan opened this issue · comments
Hi. Thanks for your talk and the code.
I had to make some changes to get this to work for me, and I wanted to share. I created an AAD group and made that the sql admin, not the umi. That group has myself and the ADO => Azure service principal. I then created a step (template) in my pipeline with some modifications to your script.
yaml step
steps: - task: AzurePowerShell@5 displayName: 'Setup Managed Identity SQL Access' inputs: azureSubscription: $(azureResourceManagerConnection) pwsh: true azurePowerShellVersion: 'LatestVersion' scriptType: 'InlineScript' Inline: | Install-Module -Name SqlServer -Scope CurrentUser -Force Import-Module SqlServer function ConvertTo-Sid {
param ([string]$appId)
[guid]$guid = [System.Guid]::Parse($appId)
foreach ($byte in $guid.ToByteArray()) {
$byteGuid += [System.String]::Format("{0:X2}", $byte)
}
return "0x" + $byteGuid
}
# Get an access token with the Service Principal used in the Azure DevOps Pipeline
$sqlToken = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token
Write-Host "Getting token"
# Get managed identity client (application) id
$managedIdentity = Get-AzUserAssignedIdentity -ResourceGroupName "$(resourceGroupName)" -Name "$(identityName)"
$appId = $managedIdentity.ClientId
Write-Host $appId
# Give User Assigned Managed Identity SQL database access
# You can use this syntax if AAD lookups are allowed
# CREATE USER [$miname] FROM EXTERNAL PROVIDER
$sid = ConvertTo-Sid -appId $appId
$Query = "IF NOT EXISTS(SELECT 1 FROM sys.database_principals WHERE name ='$(identityName)')
BEGIN
CREATE USER [$(identityName)] WITH DEFAULT_SCHEMA=[dbo], SID = $sid, TYPE = E;
END
IF IS_ROLEMEMBER('db_datareader','$(identityName)') = 0
BEGIN
ALTER ROLE db_datareader ADD MEMBER [$(identityName)]
END
IF IS_ROLEMEMBER('db_datawriter','$(identityName)') = 0
BEGIN
ALTER ROLE db_datawriter ADD MEMBER [$(identityName)]
END;
IF IS_ROLEMEMBER('db_ddladmin','$(identityName)') = 0
BEGIN
ALTER ROLE db_ddladmin ADD MEMBER [$(identityName)]
END;"
$sqlInstance = "$(sqlServerName).database.windows.net"
Write-Host "Creating DB user"
Invoke-Sqlcmd -ServerInstance $sqlInstance -Database "$(sqlDbName)" -AccessToken "$sqlToken" -Query $Query
The UMI should never be SQL admin. Why did you get the impression that that was the intention?
And thanks a lot for sharing your task.
Why did you get the impression that that was the intention?
I'm not sure. I probably thought the admin needed to be set that way from other research I was looking at.
Mostly, I wanted to share the task and the changes to the script.
Thanks again :)