Access Synapse SQL Serverless Pool database objects using Managed identity

saurabh 331

Hi,

I am trying to access Synapse SQL Serverless Pool database obhejcts via a 1) Azure function written in Python and 2) From the synapse notebook using pyodbc driver. So far I have enabled the managed identity for Azure function, and granted the managed identity dbreader/writer permissions along with contributor role(this was done to just test if elevated privileges can help resolve the connectivity issue).

However, I am getting authentication failure message.

Can you share some references which provides details on how to use managed identities for authenticating an Azure function to Synapse sql serverless pool database?

BhargavaGunnam-MSFT 25,971 Reputation points Microsoft Employee

2022-08-12T22:56:15.687+00:00

Hi @saurabh ,

Thanks for the question and using MS Q&A platform.

Could you please provide me with a detailed error message you are getting?

If you want to learn how to use the managed identities for Azure resources, please see the video in the below URL.

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
saurabh 331 Reputation points

2022-08-14T21:13:40.66+00:00

Hi @BhargavaGunnam-MSFT ,

Please find below the error message

Result: Failure Exception: InterfaceError: ('28000', "[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user '<token-identified principal>'. (18456) (SQLDriverConnect)") Stack: File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py", line 407, in _handle__invocation_request call_result = await self._loop.run_in_executor( File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run result = self.fn(*self.args, **self.kwargs) File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py", line 649, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py", line 215, in _raw_invocation_wrapper result = function(**args) File "/home/site/wwwroot/readFunc/init.py", line 21, in main conn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};Server=synapseworkspace-ondemand.sql.azuresynapse.net; Authentication=ActiveDirectoryMsi; Database=MyDBName')

1 answer

BhargavaGunnam-MSFT 25,971 Reputation points Microsoft Employee

2022-08-15T19:43:52.523+00:00
Hi @saurabh ,

Thank you for the reply. As per the error message, it looks like your managed Identity doesn't have access to the Synapse SQL pool, or the SQL connection string in the Azure function might not be correct.

Can you please validate them both?

On Synapse SQL end:

CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER [<identity-name>]; ALTER ROLE db_datawriter ADD MEMBER [<identity-name>]; GO

On the Azure function end:
The managed identity connection string should be in this format:

Server=demo.database.windows.net; Authentication=Active Directory Managed Identity; Database=testdb

If both are configured correctly and still having issues, If you have a support plan, you may file a support ticket for deeper investigation; if you don't have a support plan, please let me know. I can enable one-time free support for you to work closely on this matter.

I am looking forward to hearing from you.
Please sign in to rate this answer.
saurabh 331 Reputation points

2022-08-15T19:52:22.573+00:00

I did create the user as mentioned above, and even tried to use "Authentication=Active Directory Managed Identity". However, it did not help. For "Authentication=Active Directory Managed Identity", I got an error stating that its not a valid option for pyodbc connection string, so had to use "Authentication=ActiveDiredctoryMsi" and it still didn't work.

I have created a support case.

Thanks for your help.

BhargavaGunnam-MSFT 25,971 Reputation points Microsoft Employee

2022-08-15T21:29:31.863+00:00

Hi @saurabh ,
Thank you for letting me know. In case, If you have any further questions, please get back to us.

BhargavaGunnam-MSFT 25,971 Reputation points Microsoft Employee

2022-08-16T22:45:27.68+00:00

Hi @saurabh ,
In case if you have a resolution from the support, please share the same here so that other community members can benefit from that.

saurabh 331 Reputation points

2022-08-17T02:40:48.103+00:00

Sure will do.

Hiob Gebisso 101 Reputation points

2023-12-14T23:03:43.6+00:00

@saurabh Did you ever find a solution to this problem? I am facing the exact same issue, when using the azure input bindings (https://github.com/Azure/azure-functions-sql-extension) in an azure function with Azure Directory Managed Identity to connect to the serverless pool? I can only get the function to work with the Interactive Authentication using my own AAD.
Sign in to comment