[FEATURE REQ] Support Workload Identity Auth for Azure Postgresql

[mschmidt291]

Is your feature request related to a problem? Please describe.
The azure-identity-extension library currently does not support the usage of Workload Identity and only supports Managed Identity.

Describe the solution you'd like
Azure Workload Identity should be implemented into azure-identity-extensions. It is already implemented for the normal azure-identity which is a dependency of azure-identity-extensions.

Describe alternatives you've considered
Only alternative feasible for us would be the usage of Certificates, but we would like the workload identity to work

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Description Added
• Expected solution specified

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[billwert]

Hello @mschmidt291

Thanks for the report! We'll take a look at this and get back to you soon.

[mschmidt291]

Hello @mschmidt291

Thanks for the report! We'll take a look at this and get back to you soon.

Thanks for the speedy response. Let me know if you need additional Input from me or more specific details.

[joshfree]

Tagging as 'Discuss in Office Hours' /cc @scottaddie @christothes

[mschmidt291]

@joshfree @scottaddie @christothes Any updates here ?

[billwert]

Hello @mschmidt291! Apologies for the delay.

We need to do some further investigation of this feature request. We're going to do so over the next few months. This is not something we're going to get to and ship quickly. We appreciate the suggestion and will see what we can do!

[pdefreitas]

azure-identity-extension version 1.1.19 is still impacted by this.

Use case: using azure-identity-extension in a AKS environment with Microsoft Entra Workload ID to connect Java applications to oss-rdbms such as PSQL and MySQL.

Edit:

The funny part is that spring-cloud-azure-starter-jdbc-postgresql works just fine with a Workload identity. However that is problematic for non-Spring workloads.

[billwert]

Hi folks,

Can you try authenticating in your environment with DefaultAzureCredential as outlined here?

DAC contains WorkloadIdentityCredential, so I would expect it to work. I'd love to know if you've tried this, and how it failed if it does.

If this does work for you I will make sure we update the documentation for this to be clearer about what DAC is doing for you in this case.

[github-actions]

Hi @mschmidt291. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[mschmidt291]

Hi folks,

Can you try authenticating in your environment with DefaultAzureCredential as outlined here?

DAC contains WorkloadIdentityCredential, so I would expect it to work. I'd love to know if you've tried this, and how it failed if it does.

If this does work for you I will make sure we update the documentation for this to be clearer about what DAC is doing for you in this case.

Thanks for the hint Bill. I forwarded the request to our development team and will provide feedback here once I got an update.

[MedAnd]

Hi @billwert,

Any update on this issue? Our engineers are also experiencing problems attempting to connect Java microservices to PostgreSQL Flexible Server with your JDBC plugin, running under an AKS Service Account, Federated with a Managed Identity.

Wanted to confirm our scenario is or isn't supported for Azure PostgreSQL Flexible Server?

PS. The documentation does not mention this anywhere as a limitation.

[pdefreitas]

@MedAnd we've the same setup and that scenario works fine with DefaultCredentials but note that #39393 may impact your setup.
Example above: #39540 (comment)

[MedAnd]

Hi @pdefreitas - just to confirm I understand, when using MS Entra Workload ID with an AKS Service Account, which is Federated to a User Assigned Identity, we need to configure our Java / JDBC properties as per Authenticating with DefaultAzureCredential?

[billwert]

Thanks for confirming the scenario works with DefaultAzureCredential, @pdefreitas. @mschmidt291 were you able to confirm if it fixes it for you?

@MedAnd Yes, I believe that should work. Using DefaultAzureCredential will land on WorkloadIdentityCredential in a properly configured environment.

[github-actions]

Hi @mschmidt291. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[MedAnd]

Hi @billwert - still having an issue and are following Authenticating with DefaultAzureCredential

• using Azure Identity client library for Java - version 1.14.2
• using a Java properties file to configure properties and not via Java code
• using an AKS Service account Federated to a User Assigned Identity which has been granted access to the Azure PostgreSQL Flexible Server
• Java container running under the AKS Service account

Are you able to confirm a Java properties file is supported with DefaultAzureCredential?

Can you provide an example of the following in Java properties file equivalent, specifically what should be used as the value of YOUR_POSTGRESQL_USERNAME?

• properties.put("user","${YOUR_POSTGRESQL_USERNAME}@${AZ_DATABASE_NAME}");

[billwert]

@MedAnd

Is it possible to collect some logs? Please enable logging as described here.

this will show us what credential type is being attempted and what might have gone wrong with it.

[github-actions]

Hi @mschmidt291, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

[mschmidt291]

/unresolve

[mschmidt291]

Thanks for confirming the scenario works with DefaultAzureCredential, @pdefreitas. @mschmidt291 were you able to confirm if it fixes it for you?

@MedAnd Yes, I believe that should work. Using DefaultAzureCredential will land on WorkloadIdentityCredential in a properly configured environment.

I was not able to confirm this yet unfortunately. But due to #39393 it seems like it is still not usable for production.

[moarychan]

Hi @MedAnd, sorry for late response!

Wanted to confirm our scenario is or isn't supported for Azure PostgreSQL Flexible Server?

JDBC passwordless based on Federated with a user Managed Identity supports for Azure PostgreSQL Flexible Server.

[moarychan]

Hi @pdefreitas, sorry for the late response!

@MedAnd we've the same setup and that scenario works fine with DefaultCredentials but note that #39393 may impact your setup. Example above: #39540 (comment)

The azure-identity supports the cache feature, so the Spring Cloud Azure Starter JDBC PostgreSQL should also support the cache. Let me double confirm, will update here if any new findings.

[MedAnd]

Hi @moarychan,

Please note we are having issues with com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin.

Specifically AzurePostgresqlAuthenticationPlugin seems to not pickup environment variables as per documentation for DefaultAzureCredential.

It's thus failing to use the User Assigned Identity which is Federated with the AKS Service Account under which our container is running, which in turns relies on AKS MS Entra Workload.

We have raised a support issue and are working with both the Azure SDK Team and the Azure PostgreSQL team to confirm if it's our code or the Azure Java libraries.

Regrading issue #39393 - the .Net implementation of the PostgreSQL driver (Npgsql) seems to be optimised for handling / caching tokens as per: Handling Token Expiry