Connecting to MySQL using Managed Identity in Azure Function

Question

Connecting to MySQL using Managed Identity in Azure Function

JDR 90

Hi

I am trying to use a managed identity to read&write a mysql from an Azure function (pytho http trigger).

I created a User Managed Identity from the portal by going to my MySQL db -> Authentication -> Select Identity -> Create. I named it "mysql_mi".

I gave permission to mysql_mi to access my DB through the following (portal): MySQL db -> Access Control (IAM) -> Add Role Assignment -> selected Privileged administrator roles -> selected Contributor. On the Members tab selected Managed identity and selected mysql_mi.

Is this the right way to assign permission to my managed identity?

Finally, in my python code I followed https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/app-service/tutorial-connect-msi-azure-database.md

from azure.identity import DefaultAzureCredential
import mysql.connector
import os

# Uncomment one of the two lines depending on the identity type
#credential = DefaultAzureCredential() # system-assigned identity
#credential = DefaultAzureCredential(managed_identity_client_id='<client-id-of-user-assigned-identity>') # user-assigned identity

# Get token for Azure Database for MySQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

# Set MySQL user depending on the environment
if 'IDENTITY_ENDPOINT' in os.environ:
    mysqlUser = '<mysql-user-name>@<server-name>'
else:
    mysqlUser = '<aad-user-name>@<server-name>'

# Connect with the token
os.environ['LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN'] = '1'
config = {
  'host': '<server-name>.mysql.database.azure.com',
  'database': '<database-name>',
  'user': mysqlUser,
  'password': token.token
}
conn = mysql.connector.connect(**config)
print("Connection established")

In this code, I am not sure about what <mysql-user-name> and <aad-user-name> are.

Can someone help clarify?

I tried replacing both with mysql_mi but it doesn't work. It seems that I am getting the crendential and the token right (code above) but still get an "Can't connect to MySQL server" exception.

Any pointer or suggestion would be greatly appreciated.

Thanks in advance!

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
JDR 90 Reputation points

2023-10-20T01:48:31.8533333+00:00

Thanks @55854606.

What config ditionary are you referring to: "Ensure that the configurations in the config dictionary are accurate, including the 'host', 'database', 'user', and 'password'"

Also, the point of managed identities is to avoid manipulating passwords.

"You should replace <mysql-user-name> with the username you created for the MySQL database"

Under "Access control (IAM)" for the "Azure Database for MySQL flexible server", I have 2 users: myself (owner) and the managed identity mysql_mi as a contributor. What would be in that case "the username you created for the MySQL database"

Thanks again for your help.

Accepted answer

0 additional answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
JDR 90 Reputation points

2023-10-20T01:48:31.8533333+00:00

Thanks @55854606.

What config ditionary are you referring to: "Ensure that the configurations in the config dictionary are accurate, including the 'host', 'database', 'user', and 'password'"

Also, the point of managed identities is to avoid manipulating passwords.

"You should replace <mysql-user-name> with the username you created for the MySQL database"

Under "Access control (IAM)" for the "Azure Database for MySQL flexible server", I have 2 users: myself (owner) and the managed identity mysql_mi as a contributor. What would be in that case "the username you created for the MySQL database"

Thanks again for your help.

Answer 1

navba-MSFT 27,540 Microsoft Employee Moderator

@JDR Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

I understand that you are trying to use a managed identity to read and write to a MySQL database from an Azure Function (Python HTTP trigger). You have created a User Managed Identity from the portal and given it permission to access the database.

Please follow the below article which explains how to connect to Azure Database for MySQL using Managed Identity of Function App:

https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/how-to-connect-to-azure-database-for-mysql-using-managed/ba-p/1518196

If you run into the issue after following the above plan please let me know. I would be happy to help.

**

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

JDR 90 Reputation points

2023-10-20T22:06:40.4366667+00:00

Thanks @navba-MSFT for your response and for sharing some pointer.

Let's go step by step.

The first step in that documentation is Step 1: Configure Azure AD Authentication for MySQL. This step points to documentation which is specific to MySQL Single Server and doesn't apply to MySQL Flexible Server (my configuration).

How do I know if my server is configured for Azure AD authentication?

For information, when I created my MySQL server, under Authenticaton I selected “MySQL and Microsoft Entra authentication”; clicked “Set Identity” under “User assigned managed identity” and selected mysql_mi (a user managed identity I previously created); I clicked “Set Amin” under “Set Microsoft Entra admin” and set myself as admin.

thanks for your help
JDR 90 Reputation points

2023-10-23T01:33:04.03+00:00

@navba-MSFT

Step 2: Enable Managed Identity for the Function App

This step should be fine since I see the managed identity under my Function App -> Identity -> User Assigned.

Step 3: Find the Managed Identity GUID and then create a user in MySQL

I see 5 applications under Enterprise Applications. None of them match exactly the name of my function app. The closest one differs by its casing. I also see one which name ends with FuncAppIdentityProvider. Is this the one?

The documentation then says "Once you have the Application ID, log in to Azure Database for MySQL using the AAD login". I guess for this I need to go back to https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-sign-in-azure-ad-authentication (MySQL.- Single Server).

Trying to follow the latter, I can get the access token using Azure CLI. But I cannot pass the following step: Using MySQL Workbench (access denied).

The documentation says: "In the username field, enter the MySQL Microsoft Entra administrator name and append this with MySQL server name, not the FQDN e.g. ******@tenant.onmicrosoft.com@mydb"

I used my identity (which I previously set as Microsoft Entra admin when I create the MySQL DB).
Where do I find the MySQL Microsoft Entra administrator name and the MySQL server name? On Azure portal, under Microsoft Entra ID -> Users I can see myself but the "User Principal Name" and the onmicrosoft.com name I found there under "Indentities" do not work to connect through the My SQL workbench.

Thanks.
navba-MSFT 27,540 Reputation points Microsoft Employee Moderator

2023-10-23T09:29:09.6+00:00

@JDR Thanks for getting back. I understand your concern. This issue would require a closer troubleshooting. Please let me know if you have a support plan to open a support ticket with Microsoft Support, s that our support professionals can assist you in troubleshooting this further. If you don't have a support plan, please let me know so that I can share the next steps with you. Awaiting your reply.
JDR 90 Reputation points

2023-10-23T16:34:49.9833333+00:00

@navba-MSFT No, I don't have a support plan at the moment. Thanks!
navba-MSFT 27,540 Reputation points Microsoft Employee Moderator

2023-10-24T05:51:05.3433333+00:00

@JDR Thanks for your reply. We can help you in enabling a one-time free support ticket enablement for your subscription, using this you can open a support ticket with Microsoft Support and get technical assistance on this issue.

Please share the below details over email to azcommunity[at]microsoft[dot]com with subject as "Attn: Naveen':

a. Subscription id.
b. Thread url of this Q&A issue.

Awaiting your reply.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
navba-MSFT 27,540 Reputation points Microsoft Employee Moderator

2023-10-25T04:22:08.4066667+00:00

@JDR I have replied to your email and enabled the one-time free support ticket for your subscription. Please update this thread with the resolution, once it gets fixed by Microsoft Support, so that it benefits our other community audience.
JDR 90 Reputation points

2023-11-09T18:31:43.2266667+00:00
Hi @navba-MSFT

Support was able to resolve the issue. Thank you very much.

Configuring a mysql flexible server to allow access to a user managed identity can be accomplished by following primarily this resource:
https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/azure-ad-authentication-for-mysql-flexible-server-from-end-to/ba-p/3696353

Some important information can also be found in:

https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-connect-with-managed-identity#creating-a-mysql-user-for-your-managed-identity (although it's specific to single server, some parts apply)

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-azure-ad#1---authenticate-with-microsoft-entra-id

One key point was to use my user name @ my domain name instead of ******@tenant.onmicrosoft.com in:

mysql -h mydb.mysql.database.azure.com \ --user ******@tenant.onmicrosoft.com \ --enable-cleartext-plugin \ --password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken)

And the critical part we to use 'aad-user' (i.e. the name of the manager identity, in my case 'mysql_mi') intead of ''<aad-user-name>@<server-name>' in the python connection code:

# Set MySQL user depending on the environment if 'IDENTITY_ENDPOINT' in os.environ: mysqlUser = '<mysql-user-name>@<server-name>' else: mysqlUser = '<aad-user-name>@<server-name>' # Connect with the token os.environ['LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN'] = '1' config = { 'host': '<server-name>.mysql.database.azure.com', 'database': '<database-name>', 'user': mysqlUser, 'password': token.token } conn = mysql.connector.connect(**config)

Hope this helps.

Share via

Connecting to MySQL using Managed Identity in Azure Function

0 additional answers

Your answer