I am trying to connect to Snowflake in Databricks using an Azure access token generated from an existing Service Principal (not using the documentation's method to create one as I don't have the permissions to). Currently I am receiving the error "Invalid OAuth access token".
I believe the solution is I need snowflake to grant access to the service principal, however not sure how to do this or if it is even possible?
According to this Snowflake document, programmatic SSO with Federated Authentication (like you would need in a Databricks notebook) is only available for the Okta identity provider - even though Microsoft Azure Active Directory is among their supported Identity Providers
Related
As I understand that for getting selective authorization for a protected resource using Azure AD based OAuth 2.0 mechanism, client application need to mandatorily provide the scope URL for getting access token.
Other parameters usually include client ID, client secret (in case of Service Principal auth flow), Azure AD username and password, etc.
SqlClient has integrated Azure AD OAuth mechanism with SqlClient for authorizing a database connection.
So, I guess SqlClient also need these parameters for establishing an connection to Azure SQL server using Azure Active Directory authentication method.
But I don't see that it accepts any scope from the client application.
How does SqlClient gets scope for a particular Azure SQL server instance? I see that it gets something as Federated Authentication Info from server but I don't understand it completely.
The scope required for SQL Servder Authentication access tokens is https://database.windows.net/.default which stands for default scopes/permissions for https://database.windows.net/ resource.
Once an access token is obtained you pass it trough the SqlConnection.AccessToken property.
We have several apps which are built using .NET are running in VMS(on-prem)
All apps will be registered to Azure AD.
Can we use user managed identity to access key vault form these on-prem apps
Thanks in advance
No, you cannot use a Managed Identity from on-prem apps.
[...] a managed identity is a service principal of a special type that may only be used with Azure resources.
Source: What are managed identities for Azure resources?
To see a list of resources currently supported, see Services that support managed identities for Azure resources.
You can, however, use a Service Principal to connect to Key Vault from an application running on-premises.
To do so, Use the portal to create an Azure AD application and service principal that can access resources.
For Service Principals, authentication can be done in two different ways: password-based authentication (application secret) and certificate-based authentication. Using a certificate is recommended, but you can also create an application secret.
To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. Registration also creates a second application object that identifies the app across all tenants.
Hi I'm following the steps outline into:
https://docs.snowflake.com/en/user-guide/scim-azure.html
But I couldn't find any documentation explaining whether this user sync will affect my existing Snowflake users (the ones that have been created straight into Snowflake before the AD integration)
I believe the reference you are looking for is here:
See the note section of: https://docs.snowflake.com/en/user-guide/scim-azure.html#enabling-snowflake-initiated-sso
"By default, Azure AD users provisioned to Snowflake using SCIM are
not assigned a password in Snowflake. This means that if SAML SSO is
configured in Azure AD, users will authenticate to Snowflake using
SSO.
SAML SSO is not a requirement if using SCIM to provision users and
groups from Azure AD to Snowflake. For additional options, see
Configure Azure AD single sign-on."
To enable Snowflake Initiated SSO
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-snowflake.html#label-enable-snowflake-init-sso
Snowflake support confirmed that the existing users are NOT affected by any SCIM integration and I tested it with success, nothing happens to the existing users.
We are trying to connect to Azure service bus entity from "GO" language application & the integration with Azure service bus entity is possible by supplying either SAS token or Azure AD OAuth2.0 token which will be obtained via security principals. Technically I prefer security principals option rather than SAS token as it has security vulnerabilities.
How to acquire OAuth2.0 token from Azure AD using language like "GO" for which Azure AD SDK is not available?
Is it possible to make direct call to Azure AD REST APIs to access OAuth2.0 token? if yes some code sample would be helpful otherwise please suggest suitable options.
Here are available authentication methods for Go.
Also, you can make a direct call to get the access token.
https://login.microsoftonline.com/{tenant}/oauth2/token
Reference:
OAuth 2.0 client credentials grant
Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities
I presume that LocalDB does not support Azure AD auth, as I receive the following error message:
CREATE USER [myuser] FROM EXTERNAL PROVIDER;
Incorrect syntax near 'PROVIDER'.
(I'm attempting to create a Local DB for integration testing from the same DacPac).
However I cannot find any documentation that suggests explicitly that LocalDB (nor SQL Express) does not support Azure AD Auth.
Experience has found that just because it's not documented doesn't mean it's not possible.
In Azure SQL Server, you activate AD auth by assigning an Azure AD user to be an administrator, which can be done via AzureRM powershell module. Is there an equivalent none azurerm way of achieving the same thing?
Currently it is both not documented and not possible to do AAD auth on LocalDB.