Azure Database for PostgreSQL
An Azure managed PostgreSQL database service for app development and deployment.
1,427 questions
Connection with managed identity to postgresql and token expiration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 2%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Vasile
0
Reputation points
Hello community, I have a Nest.Js app with TypeORM and PostgreSQL.I want to deploy my app to the azure and to connect the azure PostgreSQL database.I implemented next connection:
Database module:
import { Module } from '@nestjs/common';
import { ConfigModule, ConfigService } from '@nestjs/config';
import { TypeOrmModule } from '@nestjs/typeorm';
import { join } from 'path';
import { NODE_ENV } from 'src/common/enums/node.env.enum';
import { IPostgresConfig } from 'src/common/interfaces/postgres.config.interface';
import { getManagedIdentityCredential } from 'src/common/managed-identity/credential';
import { getDatabaseAccessToken } from 'src/common/managed-identity/database.access.token';
import { DataSource } from 'typeorm';
@Module({
imports: [
TypeOrmModule.forRootAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: async (configService: ConfigService) => {
const databaseConfig =
configService.get<IPostgresConfig>('postgresConfig');
const managedIdentityConfig = configService.get('managedIdentity');
const env = configService.get<string>('NODE_ENV');
const isTestEnv = env === NODE_ENV.TEST;
const _logging =
env !== NODE_ENV.LOCAL &&
env !== NODE_ENV.DEVELOPMENT &&
env !== NODE_ENV.TEST;
const _synchronize =
env === NODE_ENV.LOCAL ||
env === NODE_ENV.DEVELOPMENT ||
env === NODE_ENV.TEST;
const useSsl =
env === NODE_ENV.DEVELOPMENT ||
env === NODE_ENV.TEST ||
env === NODE_ENV.PRODUCTION;
const useManagedIdentity =
env === NODE_ENV.DEVELOPMENT ||
env === NODE_ENV.TEST ||
env === NODE_ENV.PRODUCTION;
let password: string;
if (useManagedIdentity) {
const credential = getManagedIdentityCredential(
managedIdentityConfig,
);
const accessToken = await getDatabaseAccessToken(credential);
password = accessToken.token;
} else {
password = databaseConfig.password;
}
return {
type: 'postgres',
host: databaseConfig.host,
database: isTestEnv ? 'test_db' : databaseConfig.database,
schema: databaseConfig.schema,
username: databaseConfig.user,
password,
port: +databaseConfig.port,
ssl: useSsl || { rejectUnauthorized: false },
entities: [
join(
__dirname,
'..',
'..',
'modules',
'**',
'entities',
'*.entity.{ts,js}',
),
join(
__dirname,
'..',
'..',
'common',
'entities',
'*.entity.{ts,js}',
),
join(__dirname, '..', '**', 'entities', '*.entity.{ts,js}'),
],
migrations: [join(__dirname, 'migrations', '*.{ts,js}')],
synchronize: _synchronize,
logging: _logging,
dropSchema: isTestEnv,
};
},
dataSourceFactory: async (options) => {
const dataSource = await new DataSource(options).initialize();
return dataSource;
},
}),
],
})
export class DatabaseModule {}
Credentials.ts
import { DefaultAzureCredential } from '@azure/identity';
type ManagedIdentityConfig = {
clientId: string;
};
export function getManagedIdentityCredential({
clientId,
}: ManagedIdentityConfig) {
const credential = new DefaultAzureCredential({
managedIdentityClientId: clientId,
});
return credential;
}
And database.access.token.ts
import { AccessToken, DefaultAzureCredential } from '@azure/identity';
const databaseScope = 'https://ossrdbms-aad.database.windows.net/.default';
export const getDatabaseAccessToken = async (
credential: DefaultAzureCredential,
): Promise<AccessToken> => {
const tokenResponse = await credential.getToken(databaseScope);
return tokenResponse;
};
The problem is that access token expires and the db connection get lost.And i get this error:
Maybe i do something wrong about managed identity?I have asked on Nestjs and TypeORM platforms but no answer.Thanks a lot already :)
Azure Database for PostgreSQL
Microsoft Security Microsoft Identity Manager
881 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Sai Raghunadh M 4,635 Reputation points Microsoft External Staff Moderator2025-01-22T11:27:12.8633333+00:00 -
Vasile 0 Reputation points
2025-01-23T11:48:03.58+00:00 Hello @Sai Raghunadh M , I don't think so, I want to understand how connection token rotation works, and if it even exists, if token expires some time after the connection with database is successful and i get this error.Because i did not find something in the docs about it , just how to establish connection to the PostgreSQL database with JS SDK and that's all.And maybe am I doing something wrong. I will be happy if someone will guide me in this. Thanks for your help :).
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Vasile 0 Reputation points
2025-01-23T11:55:53.2233333+00:00 Hello @Sai Raghunadh M
-
Sai Raghunadh M 4,635 Reputation points Microsoft External Staff Moderator
2025-01-23T17:56:13.5466667+00:00 Hi @Vasile,
Thanks for the question and using MS Q&A platform.
Sorry for the delay in my response.
When your application starts, it requests an access token from Azure using the managed identity. This token is valid for a specific period.
Once the token expires, your application will no longer be able to access the database, and you'll encounter errors like the one you're seeing.
Please go through this documentation that might help you: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-with-managed-identity?source=recommendations
I hope this information helps, please do let us know if you have any Queries.
-
Vasile 0 Reputation points
2025-01-24T12:04:27+00:00 Thanks for your answer @Sai Raghunadh M , so if i understand right there is no way that managed identity somehow rotate the old token and continue the connection with the database?And i need to terminate current connection get new token and after this make a new connection?
-
Sai Raghunadh M 4,635 Reputation points Microsoft External Staff Moderator
2025-01-24T12:27:06.1433333+00:00 Hi @Vasile,
You are correct, Unfortunately, managed identities do not automatically rotate tokens. You will need to manage the process of obtaining a new token and reconnecting to the database. -
Sai Raghunadh M 4,635 Reputation points Microsoft External Staff Moderator
2025-01-27T02:49:49.89+00:00 Hi @Vasile,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Sai Raghunadh M 4,635 Reputation points Microsoft External Staff Moderator
2025-01-28T03:51:25.78+00:00 Hi @Vasile,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer