Service Principal authentication with MySQL

[kosinsky]

This page shows how to use AAD authentication for regular users. Is the same supported for Service Principals?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 0b2910bd-55dc-3618-b128-2ac858829ec0
• Version Independent ID: a9cab8cc-fb10-f3f3-6dbc-ce657609258d
• Content: Use Azure Active Directory - Azure Database for MySQL
• Content Source: articles/mysql/howto-configure-sign-in-azure-ad-authentication.md
• Service: mysql
• GitHub Login: @lfittl-msft
• Microsoft Alias: lufittl

[GiftA-MSFT]

@kosinsky we'll review your feedback and get back to you shortly. Thanks.

[ghost]

@kosinsky To understand correctly, are you looking to use an Azure AD application for authentication?

(we already have Managed Identity documented here, which is our recommended approach: https://docs.microsoft.com/en-us/azure/mysql/howto-connect-with-managed-identity)

[kosinsky]

@lfittl-msft
Managed Identity will not work for my case because client is outside of Azure. Using Service Principals created via (az ad sp create-for-rbac ...) instead of passwords allows to revoke permissions etc.

However, Managed Identities gave me an idea to combine approach for MSI and regular users to make service principals work.

Here is the steps:

1. As AAD Admin, create MySQL user for SPN in the same way as for MSI

SET aad_auth_validate_oids_in_tenant = OFF;
CREATE AADUSER 'myuser' IDENTIFIED BY 'CLIENT_ID';

2. To login

# az login as SPN first
az login --service-principal -u CLIENT_ID -p CLIENT_SECRET --tenant TENANT_ID
# Use token to access MySQL
mysql -h SERVER --user USER@SERVER \
--enable-cleartext-plugin \
--password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken`

[ghost]

@kosinsky Nice - that makes sense, and happy you were able to find a solution.

I'm wondering how we could highlight this best in the docs. Maybe we can include a snippet like the one you shared here, after the "Creating Azure AD groups in Azure Database for MySQL" section on the How-To Guide.

Do you think that would have helped?

[kosinsky]

I think it will be great to have separate page for "Connect with Service Principals (applications)" that will include how to create user mapped to SPN, how to authenticate using az account get-access-token and code sample how to do that with C# and other languages or at least lower level C# only level version with direct HTTP calls to allow simple translation.

[AnuragSharma-MSFT]

Thank @kosinsky for the information shared.

@lfittl-msft This is being assigned to the you, could you please evaluate and update as appropriate? Thanks

[kummanish]

@lfittl-msft can you please provide an update.

[ghost]

@kosinsky Thanks for those details - we've added this to our documentation backlog and will address this as discussed.

@AnuragSharma-MSFT I think we can close this issue for now, as the question was addressed, and we'll improve the docs separately based on the further discussion.

[AnuragSharma-MSFT]

@lfittl-msft Thanks a lot for all the efforts you spent here.

@kosinsky We will now proceed to close this thread. If there are further questions regarding this matter, please comment and we will gladly continue the discussion.

[aristosvo]

@NavtejSaini-MSFT This is still not properly documented. An extension of this question would be if it is possible to make a service principal AAD MySQL Administrator, and supply the proper steps for that as well.

[joedeveau]

@NavtejSaini-MSFT This is still not properly documented.