Unable to create Login for an Azure AD user/group #54
Comments
|
External users, i.e. those that are created out of AAD objects, do not need a login. You can directly create a user. Please refer to the docs how it looks like for a managed identity, however, it will be very similar for a regular user or group. The |
|
@alxy: Thanks for your quick response, I am looking at alternate way to execute this query via Terraform to create a login and use it within the mssql_user resource |
|
This is perfectly possible, you can use the
Your code would roughly translate like this: resource "mssql_user" "example" {
server {
host = "example-sql-server.database.windows.net"
login {
username = "sa"
password = "p4sswd"
}
}
database = "master"
login_name = "DBA GROUP" # this needs to be the name of the security group in your AAD tenant
username = "dba-group" # this will be the SQL-username of the external user on your SQL server
} |
|
Thanks @alxy. Here's what I tried to create a user for an AD group. This is the initial Terraform script I used: data "azuread_group" "this" {
display_name = "tf-group"
}
resource "mssql_user" "this" {
server {
host = azurerm_mssql_server.sql_server.fully_qualified_domain_name
login {
username = azurerm_mssql_server.sql_server.administrator_login
password = azurerm_mssql_server.sql_server.administrator_login_password
}
}
database = azurerm_mssql_database.this.name
username = data.azuread_group.this.display_name
login_name = data.azuread_group.this.display_name
object_id = data.azuread_group.this.object_id
roles = [
"db_owner",
"db_datawriter",
"db_datareader",
]
}However, using Error: unable to create user [my-database].[tf-group]: mssql: Cannot add the principal 'tf-group', because it does not exist or you do not have permission.When leaving Now I was also having a look at the database using SSMS and I noticed this principal is marked as being an SELECT name, type, type_desc FROM sys.database_principals
Not sure what the impact is of having |
|
Are you absolutely sure the SQL server has read access on your AAD tenant?
You can check if that works by running a |
|
When running CREATE USER [my-group] FROM EXTERNAL PROVIDERusing SSMS it creates the user with type X, so that works. When running Terraform without When running Terraform with I do not know the whole codebase, but I noticed the type seems to be set here when using |
|
@alxy any thoughts on this? |
|
FYI, this in the end seemed to work: |
|
@eriktim Nice to hear that you could solve it with this other auth mechanism. 👍 |
|
Not exactly the AAD group, but I'm trying to create a user for managed identity of an app service that I'm creating in same pipeline (Azure Devops). The external user is created and added to the specific roles as well but I'm not able to login from the app service. Here is the code: If I delete the user and create directly in database ( Also, the service principal (user) running the pipeline is member of AAD group which is AD admin for the SQL Server. Not sure what is going wrong there :( |
|
how we got over this:
I'll try to use |
|
@amantur I ran into the same issue as you. The problem is that the provider documentation is incorrect. You cannot use The value you need for a system assigned managed identity is from In my case, I'm granting the SMI of a web app the ability to read data from an Azure SQL database. This is only for SMI, if you want to grant a specific user or AD group access, the method stated in the documentation is correct. Hope it helps |
I'll give it a try, I'm currently using powershell as had to deliver the infra. I think it may work because now SQL Server identity has directory read permissions. |
did you literally use I'm terribly confused..... :-( using Terraform, I created the sql server like so then I create a database now I want to add my "developers" AAD group to the master database. My understanding is that doing so would allow any member of that AAD group to login to any database on the server (maybe this is incorrect???) which fails with
which makes sense, but I'm confused on which credentials I need to provide. I've got the TF running as a service principal and I've got an AAD group ("sql_server_admin_group") but its just the group assigned as the AAD admin on the server. |
|
@jason-berk-k1x been a while and on to other things now, so just some comments
|
|
I ran into a similar issue and wound up looking how to approach the user creation using an azure devops pipeline and stumbled upon this https://fgheysels.github.io/managed-identity-users-in-sql-via-devops/ and figured a similar approach needs to be used if using the SA vs Enrta Admin. Looking at terraform-provider-mssql/sql/user.go Line 109 in a0cab2c
I assume this is responsible for setting the external group as a user, perhaps some other parameter to specify a user or group if an object ID is provided? if group set it to type X |
|
When upgrading to data "azapi_resource" "app-service-identity" {
name = "default"
parent_id = azurerm_linux_web_app.example.id
type = "Microsoft.ManagedIdentity/identities@2018-11-30"
response_export_values = ["properties.clientId"]
}
resource "mssql_user" "appservice-user" {
...
database = "mydb"
username = azurerm_linux_web_app.example.name
object_id = data.azapi_resource.app-service-identity.output.properties.clientId
roles = ["db_datareader"]
...
} |
Unable to create Login for an Azure AD user/group, because the password for mssql_login resource is required.
How do I skip the password parameter for creating a login for Azure AD user, and let the module know that it's for Azure AD user/group and not an SQL Auth Login.
The text was updated successfully, but these errors were encountered: