Tutorial: Deploy a Spring application to Azure Spring Apps with a passwordless connection to an Azure database
This article shows you how to use passwordless connections to Azure databases in Spring Boot applications deployed to Azure Spring Apps.
In this tutorial, you complete the following tasks using the Azure portal or the Azure CLI. Both methods are explained in the following procedures.
- Provision an instance of Azure Spring Apps.
- Build and deploy apps to Azure Spring Apps.
- Run apps connected to Azure databases using managed identity.
Note
This tutorial doesn't work for R2DBC.
Prerequisites
- An Azure subscription. If you don't already have one, create a free account before you begin.
- Azure CLI 2.45.0 or higher required.
- The Azure Spring Apps extension. You can install the extension by using the command:
az extension add --name spring
. - Java Development Kit (JDK), version 8, 11, or 17.
- A Git client.
- cURL or a similar HTTP utility to test functionality.
- MySQL command line client if you choose to run Azure Database for MySQL. You can connect to your server with Azure Cloud Shell using a popular client tool, the mysql.exe command-line tool. Alternatively, you can use the
mysql
command line in your local environment. - ODBC Driver 18 for SQL Server if you choose to run Azure SQL Database.
Prepare the working environment
First, set up some environment variables by using the following commands:
export AZ_RESOURCE_GROUP=passwordless-tutorial-rg
export AZ_DATABASE_SERVER_NAME=<YOUR_DATABASE_SERVER_NAME>
export AZ_DATABASE_NAME=demodb
export AZ_LOCATION=<YOUR_AZURE_REGION>
export AZ_SPRING_APPS_SERVICE_NAME=<YOUR_AZURE_SPRING_APPS_SERVICE_NAME>
export AZ_SPRING_APPS_APP_NAME=hellospring
export AZ_DB_ADMIN_USERNAME=<YOUR_DB_ADMIN_USERNAME>
export AZ_DB_ADMIN_PASSWORD=<YOUR_DB_ADMIN_PASSWORD>
export AZ_USER_IDENTITY_NAME=<YOUR_USER_ASSIGNED_MANAGEMED_IDENTITY_NAME>
Replace the placeholders with the following values, which are used throughout this article:
<YOUR_DATABASE_SERVER_NAME>
: The name of your Azure Database server, which should be unique across Azure.<YOUR_AZURE_REGION>
: The Azure region you want to use. You can useeastus
by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by usingaz account list-locations
.<YOUR_AZURE_SPRING_APPS_SERVICE_NAME>
: The name of your Azure Spring Apps instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.<AZ_DB_ADMIN_USERNAME>
: The admin username of your Azure database server.<AZ_DB_ADMIN_PASSWORD>
: The admin password of your Azure database server.<YOUR_USER_ASSIGNED_MANAGEMED_IDENTITY_NAME>
: The name of your user assigned managed identity server, which should be unique across Azure.
Provision an instance of Azure Spring Apps
Use the following steps to provision an instance of Azure Spring Apps.
Update Azure CLI with the Azure Spring Apps extension by using the following command:
az extension update --name spring
Sign in to the Azure CLI and choose your active subscription by using the following commands:
az login az account list --output table az account set --subscription <name-or-ID-of-subscription>
Use the following commands to create a resource group to contain your Azure Spring Apps service and an instance of the Azure Spring Apps service:
az group create \ --name $AZ_RESOURCE_GROUP \ --location $AZ_LOCATION az spring create \ --resource-group $AZ_RESOURCE_GROUP \ --name $AZ_SPRING_APPS_SERVICE_NAME
Create an Azure database instance
Use the following steps to provision an Azure Database instance.
Create an Azure Database for MySQL server by using the following command:
az mysql flexible-server create \ --resource-group $AZ_RESOURCE_GROUP \ --name $AZ_DATABASE_SERVER_NAME \ --location $AZ_LOCATION \ --admin-user $AZ_DB_ADMIN_USERNAME \ --admin-password $AZ_DB_ADMIN_PASSWORD \ --yes
Note
If you don't provide admin-user
or admin-password
parameters, the system will generate a default admin user or a random admin password by default.
Create a new database by using the following command:
az mysql flexible-server db create \ --resource-group $AZ_RESOURCE_GROUP \ --database-name $AZ_DATABASE_NAME \ --server-name $AZ_DATABASE_SERVER_NAME
Create an app with a public endpoint assigned
Use the following command to create the app.
az spring app create \
--resource-group $AZ_RESOURCE_GROUP \
--service $AZ_SPRING_APPS_SERVICE_NAME \
--name $AZ_SPRING_APPS_APP_NAME \
--runtime-version=Java_17
--assign-endpoint true
Connect Azure Spring Apps to the Azure database
First, install the Service Connector passwordless extension for the Azure CLI:
az extension add --name serviceconnector-passwordless --upgrade
Then, use the following command to create a user-assigned managed identity for Microsoft Entra authentication. For more information, see Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server.
export AZ_IDENTITY_RESOURCE_ID=$(az identity create \
--name $AZ_USER_IDENTITY_NAME \
--resource-group $AZ_RESOURCE_GROUP \
--query id \
--output tsv)
Important
After creating the user-assigned identity, ask your Global Administrator or Privileged Role Administrator to grant the following permissions for this identity: User.Read.All
, GroupMember.Read.All
, and Application.Read.ALL
. For more information, see the Permissions section of Active Directory authentication.
Next, use the following command to create a passwordless connection to the database.
az spring connection create mysql-flexible \
--resource-group $AZ_RESOURCE_GROUP \
--service $AZ_SPRING_APPS_SERVICE_NAME \
--app $AZ_SPRING_APPS_APP_NAME \
--target-resource-group $AZ_RESOURCE_GROUP \
--server $AZ_DATABASE_SERVER_NAME \
--database $AZ_DATABASE_NAME \
--system-identity mysql-identity-id=$AZ_IDENTITY_RESOURCE_ID
This Service Connector command does the following tasks in the background:
Enable system-assigned managed identity for the app
$AZ_SPRING_APPS_APP_NAME
hosted by Azure Spring Apps.Set the Microsoft Entra admin to the current signed-in user.
Add a database user named
$AZ_SPRING_APPS_SERVICE_NAME/apps/$AZ_SPRING_APPS_APP_NAME
for the managed identity created in step 1 and grant all privileges of the database$AZ_DATABASE_NAME
to this user.Add two configurations to the app
$AZ_SPRING_APPS_APP_NAME
:spring.datasource.url
andspring.datasource.username
.Note
If you see the error message
The subscription is not registered to use Microsoft.ServiceLinker
, run the commandaz provider register --namespace Microsoft.ServiceLinker
to register the Service Connector resource provider, then run the connection command again.
Build and deploy the app
The following steps describe how to download, configure, build, and deploy the sample application.
Use the following command to clone the sample code repository:
git clone https://github.com/Azure-Samples/quickstart-spring-data-jdbc-mysql passwordless-sample
Add the following dependency to your pom.xml file:
<dependency> <groupId>com.azure.spring</groupId> <artifactId>spring-cloud-azure-starter-jdbc-mysql</artifactId> </dependency>
This dependency adds support for the Spring Cloud Azure starter.
Note
For more information about how to manage Spring Cloud Azure library versions by using a bill of materials (BOM), see the Getting started section of the Spring Cloud Azure developer guide.
Use the following command to update the application.properties file:
cat << EOF > passwordless-sample/src/main/resources/application.properties logging.level.org.springframework.jdbc.core=DEBUG spring.datasource.azure.passwordless-enabled=true spring.sql.init.mode=always EOF
Use the following commands to build the project using Maven:
cd passwordless-sample ./mvnw clean package -DskipTests
Use the following command to deploy the target/demo-0.0.1-SNAPSHOT.jar file for the app:
az spring app deploy \ --name $AZ_SPRING_APPS_APP_NAME \ --service $AZ_SPRING_APPS_SERVICE_NAME \ --resource-group $AZ_RESOURCE_GROUP \ --artifact-path target/demo-0.0.1-SNAPSHOT.jar
Query the app status after deployment by using the following command:
az spring app list \ --service $AZ_SPRING_APPS_SERVICE_NAME \ --resource-group $AZ_RESOURCE_GROUP \ --output table
You should see output similar to the following example.
Name Location ResourceGroup Production Deployment Public Url Provisioning Status CPU Memory Running Instance Registered Instance Persistent Storage ----------------- ---------- --------------- ----------------------- --------------------------------------------------- --------------------- ----- -------- ------------------ --------------------- -------------------- <app name> eastus <resource group> default Succeeded 1 2 1/1 0/1 -
Test the application
To test the application, you can use cURL. First, create a new "todo" item in the database by using the following command:
curl --header "Content-Type: application/json" \
--request POST \
--data '{"description":"configuration","details":"congratulations, you have set up JDBC correctly!","done": "true"}' \
https://${AZ_SPRING_APPS_SERVICE_NAME}-hellospring.azuremicroservices.io
This command returns the created item, as shown in the following example:
{"id":1,"description":"configuration","details":"congratulations, you have set up JDBC correctly!","done":true}
Next, retrieve the data by using the following cURL request:
curl https://${AZ_SPRING_APPS_SERVICE_NAME}-hellospring.azuremicroservices.io
This command returns the list of "todo" items, including the item you've created, as shown in the following example:
[{"id":1,"description":"configuration","details":"congratulations, you have set up JDBC correctly!","done":true}]
Clean up resources
To clean up all resources used during this tutorial, delete the resource group by using the following command:
az group delete \
--name $AZ_RESOURCE_GROUP \
--yes