Issues with the configure powershell script

Question

Issues with the configure powershell script

Eonasdan opened this issue a year ago · comments

Hi. Thanks for your talk and the code.

I had to make some changes to get this to work for me, and I wanted to share. I created an AAD group and made that the sql admin, not the umi. That group has myself and the ADO => Azure service principal. I then created a step (template) in my pipeline with some modifications to your script.

yaml step

steps: - task: AzurePowerShell@5 displayName: 'Setup Managed Identity SQL Access' inputs: azureSubscription: $(azureResourceManagerConnection) pwsh: true azurePowerShellVersion: 'LatestVersion' scriptType: 'InlineScript' Inline: | Install-Module -Name SqlServer -Scope CurrentUser -Force Import-Module SqlServer

    function ConvertTo-Sid {
        param ([string]$appId)
        [guid]$guid = [System.Guid]::Parse($appId)
        foreach ($byte in $guid.ToByteArray()) {
            $byteGuid += [System.String]::Format("{0:X2}", $byte)
        }
        return "0x" + $byteGuid
    }
            
    # Get an access token with the Service Principal used in the Azure DevOps Pipeline
    $sqlToken = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token

    Write-Host "Getting token"

    # Get managed identity client (application) id
    $managedIdentity = Get-AzUserAssignedIdentity -ResourceGroupName "$(resourceGroupName)" -Name "$(identityName)"
    $appId = $managedIdentity.ClientId

    Write-Host $appId

    # Give User Assigned Managed Identity SQL database access
    # You can use this syntax if AAD lookups are allowed
    # CREATE USER [$miname] FROM EXTERNAL PROVIDER

    $sid = ConvertTo-Sid -appId $appId

    $Query = "IF NOT EXISTS(SELECT 1 FROM sys.database_principals WHERE name ='$(identityName)')
              BEGIN
                  CREATE USER [$(identityName)] WITH DEFAULT_SCHEMA=[dbo], SID = $sid, TYPE = E;
              END
              IF IS_ROLEMEMBER('db_datareader','$(identityName)') = 0
              BEGIN
                  ALTER ROLE db_datareader ADD MEMBER [$(identityName)]
              END
              IF IS_ROLEMEMBER('db_datawriter','$(identityName)') = 0
              BEGIN
                  ALTER ROLE db_datawriter ADD MEMBER [$(identityName)]
              END;
              IF IS_ROLEMEMBER('db_ddladmin','$(identityName)') = 0
              BEGIN
                  ALTER ROLE db_ddladmin ADD MEMBER [$(identityName)]
              END;"

    $sqlInstance = "$(sqlServerName).database.windows.net"

    Write-Host "Creating DB user"

    Invoke-Sqlcmd -ServerInstance $sqlInstance -Database "$(sqlDbName)" -AccessToken "$sqlToken" -Query $Query

Erik Ejlskov Jensen · Answer 1 · Thu Apr 06 2023 00:09:22 GMT+0800 (China Standard Time)

The UMI should never be SQL admin. Why did you get the impression that that was the intention?

And thanks a lot for sharing your task.

Eonasdan · Answer 2 · Thu Apr 06 2023 01:49:54 GMT+0800 (China Standard Time)

Why did you get the impression that that was the intention?

I'm not sure. I probably thought the admin needed to be set that way from other research I was looking at.

Mostly, I wanted to share the task and the changes to the script.

Thanks again :)