How can I limit the permissions of an Azure SQL database when accessed from an Azure web app?
Details - I am working with an Azure SQL database and creating an ASP.NET Core web app. In the web app I have put a connection string that points to the Azure SQL database. The connection string includes the server admin username and password of the Azure SQL server. The web app successfully communicates with the database and can read and write data. Now, as a safety precaution, I would like to prevent the web app from ever deleting a database table (whether this be due to a mistake in the code, or a malicious SQL injection performed on the web app). How can I set permissions on the Azure SQL database to disallow table deletions from the web app?
I have heard of Azure Active Directory; I have never used it but I gather that it is an approach to manage identities and permissions of database users. Is there something similar to manage the permission of a web app rather than a user. Or is it possible to treat the web app as a user and assign user permissions/roles to it? If so, what would be the correct approach to implement this?
(Also, while we are on the subject, aside from preventing table deletions are there some other CRUD operations that you would recommend preventing from a security perspective as a best practice?)
As Dbro said, we suggest you create a new login and user to limit the permissions of an Azure SQL database when accessed from an Azure web app.
Replace the app connection string with the new Non-administrator username and password.
And we all know, no matter which way we access or connect to the Azure SQL database, we must through the SQL account, Server administrator or new Non-administrator.
Different Azure SQL account has different permission on database operation CURD.
Fore more details, please reference Azure document Controlling and granting database access to SQL Database and SQL Data Warehouse.
When a new user you created, you can decided which database permissions to grant for the user. Please see: GRANT Database Permissions (Transact-SQL)
For security, Azure also provides the Azure Key Vault for you. To see: Always Encrypted: Protect sensitive data and store encryption keys in Azure Key Vault:
Summary:
Always Encrypted is a new data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client applications or app servers that have access to the keys can access plaintext data.
Hope this helps.
Is there something similar to manage the permission of a web app rather than a user.
Yes. It's called Managed Identities. Azure will provision an identity in your Azure Active Directory, and ensure that only code running in your Application can generate tokens for that identity. This gives you the ability to authenticate and connect to SQL Server (and other Azure Resources) without having a username/password or a client secret in your code or configuration.
See:
Azure AD managed identities for Azure resources
Managed identities for Azure resources provides Azure services with an
automatically managed identity in Azure Active Directory (Azure AD).
You can use this identity to authenticate to any service that supports
Azure AD authentication without having any credentials in your code.
Learn how to create and manage managed identities for Azure resources
with our quickstarts and tutorials.
And: Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
are there some other CRUD operations that you would recommend preventing from a security perspective as a best practice
You should create a database role that has the minimal permissions required to run the application, and add your application user(s) to that role. The permissions needed will, of course, depend on what your application does, but the role might look something like this:
create role ApplicationUser
grant select,insert,update,delete,execute on schema::dbo to ApplicationUser
deny delete on AuditLog to ApplicationUser
(In SQL Server a DENY overrides any GRANTs and so you can grant permissions at the schema-level, and selectively DENY permissions at the object level)
Related
So, we have made a web application login protocol via which users can query a database on Azure SQL Server with sensitive data. Now partner-organizations want to use the same app to query their own databases on their own Azure SQL Server.
Is there a way where we can ensure that as admin + host of the web application we don't have access to their sensitive data, while we are able to send user from the correct Identity Provider through.
Until so far I found the OAuth 2.0 Token Introspection, specifically this implementation: https://wiki.surfnet.nl/pages/viewpage.action?pageId=23794471. Is there a way to implement this within Azure around the Azure SQL Server (if needed via a very simple API)?
Azure built-in reader role:
View all resources, but does not allow you to make any changes.
EDIT: If the problem is security you need to solve it through security countermeasure like Always Encrypted:
This provides a separation between those who own the data and can view
it, and those who manage the data but should have no access -
on-premises database administrators, cloud database operators, or
other high-privileged unauthorized users.
Goal:
Assign appropriate Azure SQL database privileges to App Service Web Site's system service principal (or better yet) the user assigned service principal.
Background:
After having followed along with Alexandre's tutorial on creating Azure SQL administrators I created a simple Blazor Server App that can insert entries into a simple Azure SQL resident table because the system assigned service principal of the Azure App Service Web site is an administrator for the Azure SQL database.
Problem:
Database administrator privileges are not appropriate or necessary for the Azure App Service Web site. I need to endow the Azure App Service Web site with minimal privileges (such as db_datawriter) to be consistent with Microsoft's recommend best practices.
What is Working (Updated):
I've been following along with Jesse's tutorial where he endows his account as the Azure SQL administrator and creates new accounts with limited roles like db_datareader and dt_datawriter and db_ddladmin. This was not working previously (when I first posted).
Tue May 24 2022 Update:
I started over again (with a new azure SQL database) following Jesse's tutorial and I can now
log into the Query Explorer
create a user
grant access to that user to update, select and insert into a table
Connect with SSMS with no password and access the database tables as that user
Run my blazor app and insert into the table as well (with no password!)
New Questions (Tue May 24 2022):
When I deploy my blazor app to Azure AppService Web app, it cannot connect.
How do I write bicep code to grant my azure app service resident blazor app access to my azure SQL database? I think I need to use the system assigned service principal for the web app (does this have a password?) and use SQLCMD.EXE to execute those CREATE USER and ALTER ROLE commands. How do I do that? The problem is that the system assigned service principal of the web app is not an active directory object. Conversely, "az ad user show" does not have a principalId I can use as a user assigned service principal that I could assign to the web app.
So when I am running on my desktop dev machine, DefaultAzureCredential is detecting that I am logged to Azure with the Microsoft account and I can debug my blazor app on my dev machine...
How do I configure Azure SQL to allow access from the Azure App Service web app as well as access from my desktop dev machine? This is easy to do with cosmos SQL and I'm thinking it should be possible with Azure SQL as well.
Thanks
Siegfried
This article I recently published should be able to help you: https://dev.to/azure/create-and-connect-to-an-azure-sql-db-9k0. And yes, this sentences you mentioned "it looks like this is the way to conform to the Microsoft recommend Best Practices of abandoning passwords in favor of service principals and managed identities", is definitely correct.
On AWS an application can access a database by attaching an IAM role that allows access.
Or an application can access the database by obtaining passwords from the secret manager.
In what use cases would one use IAM or a secret manager to connect their DB and Application?
Secrets Manager is just storing your database password. You would be reading the password from Secrets Manager, and then connecting to the database with username/password. The fact that you are storing the password in Secrets Manager is kind of irrelevant. Your question should actually be stated something like this:
What are the advantages of using AWS IAM authentication for RDS databases, instead of the default username/password authentication.
In answer to that question, the primary benefit is that you can use IAM roles attached to EC2/ECS/EKS/Lambda to provide database authentication credentials, instead of having to separately configure those resources with a database password somehow.
You also don't have to worry about rotating the database passwords periodically if you are using IAM authentication.
As far as I know, IAM are used for inter-cloud application access. Unless you want a user role created with access to DB and then assuming the user role to connect to DB. This is the case if your application runs in cloud.
Also this is the case mostly for cloud native DB's like Dynamodb.
For RDS Databases we usually use passwords.
Background: I built a Razor Pages web app that connects to Azure SQL DB and have successfully set up Azure AD single sign on. I have a DB context class which use AD interactive authentication, but when I publish the app to the Web App Service, I have to configure the Azure SQL DB dependency and I am forced to hard-code a username and password.
I have created users and logins in the DB and also utilize RLS as not all users have a need to see all data in certain tables, so I want to retain the security measures already in place.
Problem: Because the username and password are hard-coded all users will be able to see, edit, delete information they shouldn't, so I need to configure pass-through authentication to the DB.
Anyone have examples on how to achieve this?
Edit: Just how you can configure Power BI to have end users use their own credentials to access the SQL DB, I need to this with my web app.
If you want to protect the username and password, some other way is that you can store the SQL database connection string to the Azure Key Vault, then use secret key name to connect to the SQL database.
Example ref: Spring boot application that would read configuration from Key vault and connect to SQL?
Description
We use Azure SQL database with multiple databases on a server. It is possible to grant permissions to a single database via the user's Azure AD login by creating a group, say "DBReader". in AAD and assign the group to the role "Reader" via the server's settings in azure portal and then create a user when connected to the database as CREATE USER [DBReaders] FROM EXTERNAL PROVIDER, which will allow connecting to the single database.
Problem
We'd like to grant read access to all databases, so that the user sees all databases with a single connection and must not add them separately. Normally, you'd create a login on the server for this. However, the preview feature https://learn.microsoft.com/en-gb/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-mi-current, which would allow CREATE LOGIN ... FROM EXTERNAL PROVIDER is not available for Azure SQL database.
Question
Is there any way we did not think of to simply grant access to all databases via an AAD group?
Is there any way we did not think of to simply grant access to all databases via an AAD group?
No. Outside of Managed Instance, which requires a minimum of 4 vCores, Azure SQL Database users must be added to each database.
A suitable solution would involve the user to being able to see all databases he has permissions to at once
For Azure SQL Database, this requires the client to connect to Master to, and then reconenct to switch databases. SQL Server Management Studio does this, but other clients may not.