Use a managed identity to connect Azure SQL Database to an Azure Spring Apps app

Note

Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ✔️ Java ❌ C#

This article applies to: ✔️ Basic/Standard tier ✔️ Enterprise tier

This article shows you how to create a managed identity for an Azure Spring Apps app and use it to access Azure SQL Database.

Azure SQL Database is the intelligent, scalable, relational database service built for the cloud. It’s always up to date, with AI-powered and automated features that optimize performance and durability. Serverless compute and Hyperscale storage options automatically scale resources on demand, so you can focus on building new applications without worrying about storage size or resource management.

Prerequisites

Connect to Azure SQL Database with a managed identity

You can connect your application deployed to Azure Spring Apps to an Azure SQL Database with a managed identity by following manual steps or using Service Connector.

Grant permission to the managed identity

Connect to your SQL server and run the following SQL query:

CREATE USER [<MIName>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<MIName>];
ALTER ROLE db_datawriter ADD MEMBER [<MIName>];
ALTER ROLE db_ddladmin ADD MEMBER [<MIName>];
GO

The value of the <MIName> placeholder follows the rule <service-instance-name>/apps/<app-name>; for example: myspringcloud/apps/sqldemo. You can also query the MIName with Azure CLI:

az ad sp show --id <identity-object-ID> --query displayName

Configure your Java app to use a managed identity

Open the src/main/resources/application.properties file, then add Authentication=ActiveDirectoryMSI; at the end of the spring.datasource.url line, as shown in the following example. Be sure to use the correct value for the $AZ_DATABASE_NAME variable.

spring.datasource.url=jdbc:sqlserver://$AZ_DATABASE_NAME.database.windows.net:1433;database=demo;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;Authentication=ActiveDirectoryMSI;

Build and deploy the app to Azure Spring Apps

Rebuild the app and deploy it to the Azure Spring Apps provisioned in the second bullet point under Prerequisites. Now you have a Spring Boot application, authenticated by a managed identity, that uses JPA to store and retrieve data from an Azure SQL Database in Azure Spring Apps.

Next steps