question

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 asked OuryBa-MSFT commented

How to Grant Service Principal read/write access To Azure SQL Relational Table

Can someone help me modify CDennig's bicep code that grants a Kubernetes pod service principal access to Cosmos DocumentDB

  1. to grant the service principal of an azure app service web app (instead of a Kubernetes pod service principal) and

  2. to grant access to an Azure SQL database table (instead of a comos db)?

I assume I would create role definitions and role assignments like CDennig does:

 resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
   name: '${cosmosDbAccountName}/${roleDefId}'
   properties: {
     roleName: roleDefName
     type: 'CustomRole'
     assignableScopes: [
       cosmosDbAccountId
     ]
     permissions: [
       {
         dataActions: [
           'Microsoft.DocumentDB/databaseAccounts/readMetadata'
           'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
         ]
       }
     ]
   }
 }

What data actions (lines 12 & 13) would I need for reading/writing/updating table in Azure SQL?

I want to grant the webapp's system assigned service principal access to an Azure SQL database table so I don't need to store connection strings or passwords (as per the Azure SQL security best practices).

A user assigned service principal (like CDennig uses) would be OK too... but I have not been able to make that work with cosmos db.

I would prefer to do it with bicep.

Thanks

Siegfried


azure-sql-databaseazure-rbac
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SiegfriedHeintze-9929 Sorry for the delay in response to your question.

Could you please open a support ticket so we can further look into this issue?
Let us know if you don't have a support plan.

Regards,
Oury

0 Votes 0 ·

0 Answers