Authenticating with Postgres Flex Server using Active Directory as a Service Principal throws error

Question

I'm trying to authenticate as a Service Principal using the @azure/identity npm library.

The AAD hierarchy:

-- pg-contributors (group) contains:
---- app-devs (group)
-------- me (user)
---- web-app (service principal)

My code:

const scope = 'https://ossrdbms-aad.database.windows.net';
const credential = new ClientSecretCredential(tenantId, clientId, clientId);
const testToken = await credential.getToken(scope); // this throws

The error:

AuthenticationRequiredError: invalid_scope: 70011 - [2023-08-02 18:09:30Z]: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://ossrdbms-aad.database.windows.net is not valid.

The exact same scope and call works as myself using the AzureCLI credential. Now I'm trying to authenticate with the service principal creds and am getting an error. Anyone know how to fix?

Answer 1

Hi @awf09j ,

I spoke with the PG and took a look at the documentation on this here: Connect with Managed Identity - Azure Database for PostgreSQL - Single Server | Microsoft Learn

We managed to test using Postman. Passing this scope<https://ossrdbms-aad.database.windows.net/> returns the same error as what you are getting (AuthenticationRequiredError: invalid_scope). For the managed Identity, you need to add the /.default scope as shown in the example. Tested on postman and we were able to get an access token. 

Let me know if this helps and if you have further questions.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.