Skip to main content

Access to Azure SQL Database and Azure Key Vault using VM's system managed identity

Read about System managed Identity (SMI):

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad

Using SMI with App service to access Azure SQL databases
https://azure.microsoft.com/en-us/blog/securing-azure-sql-databases-with-managed-identities-just-got-easier/



<#

 VM access configuration:

 1. Azure Resources - NOT required if only accessing SQL DBs and not Azure resources
Navigate to the tab for Resource Groups.
    Select the specific Resource Group you created for your Windows VM.
    Go to Access control (IAM) in the left panel.
    Then Add role assignment a new role assignment for your Windows VM. Choose Role as Reader.
    In the next drop-down, ***Assign access*** to the resource ****Virtual Machine****.
    Next, ensure the proper subscription is listed in the Subscription drop down. And for Resource Group, select All resource groups.
Finally, in Select choose your Windows VM in the drop down and click Save.

 2. SQL users
Start SQL Server Management Studio.
    In the Connect to Server dialog, Enter your SQL server name in the Server name field.
    In the Authentication field, select Active Directory - Universal with MFA support.
    In the User name field, enter the name of the Azure AD account that you set as the server administrator, for example, helen@woodgroveonline.com
    Click Options.
    In the Connect to database field, enter the name of the non-system database you want to configure.
    Click Connect. Complete the sign-in process.
    In the Object Explorer, expand the Databases folder.
    Right-click on a user database and click New query.
In the query window, enter the following line, and click Execute in the toolbar:

 CREATE USER [smi-vm] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [smi-vm]

 #>

 #
# Please notice that 
#                resource=https://database.windows.net/ 
#     *** ends *** with a forward slash !!!
#

$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://database.windows.net/' -Method GET -Headers @{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$AccessToken = $content.access_token

 $SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Data Source = a1257.database.windows.net; Initial Catalog = a1"
$SqlConnection.AccessToken = $AccessToken
$SqlConnection.Open()

 $SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = "SELECT * from dbo.tt1;"
$SqlCmd.Connection = $SqlConnection
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet)

 $DataSet.Tables[0]

# if in the "resource=https://database.windows.net/" the ending forward slash is missing then the following errors is thrown

 # Exception calling "Open" with "0" argument(s): "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

#
#
# ===================== Key Vault ==========
#  Add Access Policy to the AKV for the VM
#

 #
# Please notice that 
#                resource=https://vault.azure.net
#     *** has NO *** forward slash at the end !!!
#

$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net' -Method GET -Headers @{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$KeyVaultToken = $content.access_token

 $result = Invoke-WebRequest -Uri https://cm-kv1.vault.azure.net/secrets/pwd?api-version=2016-10-01 -Method GET -Headers @{Authorization="Bearer $KeyVaultToken"}
$result.content


# if in the "resource=https://vault.azure.net" a forward slash added then the following errors is thrown

Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.

Comments

  1. ballinamoreraab5 March 2022 at 02:31

    TITanium Fits the T-Shirt - T-Shirt
    T-Shirt. T. revlon hair dryer brush titanium The T-Shirt is the only guy tang titanium toner way you can garmin fenix 6x pro solar titanium make this a T-Shirt. The T-Shirt is designed to titanium dive knife look ecm titanium nice with the T-Shirt.

    ReplyDelete

Post a Comment

Popular posts from this blog

Create 3-Node Windows 2012 Multi-subnet Cluster

Environment There are two Data centers connected via a WAN link. Two Windows 2012 Servers (called SQLDEV1 and SQLDEV2) are located in the Primary Data Center (on the IP subnet 192.168.79.0/24) and the third server is placed in the Secondary Data Center with the 192.168.69.0/24 subnet. We’ll be creating a three-node Windows cluster with no shared storage on the multi subnet network with a file share witness at the Primary Data Center. We’ll be using a file share witness to protect from the cluster failure in a situation when the network between the Data Centers is unavailable and one of the servers in the Primary Data Center is also down (or being rebooted). The final state will look like depicted above: -           Two Virtual IP’s will be assigned (192.168.76.218 and 192.168.69.134) to the cluster -           The servers at the Primary Data Center will have a vote (Vote=1) and the ...
2 comments
Read more

Joining Windows 10 to Azure AD Domain

As of October 2016 to join Windows 10 computers to Azure AD Domain service requires these steps: Create a VNET in the classic portal . The VNET must be placed to a region where Azure AD domain service is available (( https://azure.microsoft.com/en-us/regions/services/ )  In the classic portal  go to Directory -> Configure and enable the domain service. And wait for ~ 30 min When completed the IP address will be populated Go back to the VNET configuration and add a DNS server with the IP (10.0.0.4 in this case) Create the "AAD DC Administrator" administrators group (again in Directory -> Group). Members of this group are granted administrative privileges on machines that are domain-joined to the Azure AD Domain Services managed domain. Add to the group your users who are supposed to have the administrative access on a Windows 10 computer go to Settings -> Accounts (this is true for Windows 10 version  1607) then select 'Access...
1 comment
Read more

SQL 2012 AlwaysOn: Synchronous vs. Asynchronous commit. Performance impact

Recently I've had a chance to build a 3-server AlwaysOn environment distributed between the primary and secondary data centers. The configuration looks like this: Primary Data Center                         Secondary Data Center                        SQLDEV1                                        SQLDEV3          SQLDEV2 The availability group was crated with synchronous commit replicas on SQLDEV1 and SQLDEV2 and the replica on SQLDEV3 was configured for asynchronous commit. The link between the data centers was not great and when I pinged SQLDEV3 from SQLDEV1 I got these results Approximate round trip times in milli-seconds:     Minimum = 39ms, Maximum = 63ms, Average = 42ms I also created a very simp...
4 comments
Read more