Support SqlPackage Access Token Authentication #262
Description
SqlPackage supports the passing in of an access token as an authentication method, with no Authentication key/value pair present in the connection string. When this key is omitted from the action, an error is returned requiring that User or User Id keys are provided. Below is the example workflow yaml:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Get Access Token
run: |
ACCESS_TOKEN=$(az account get-access-token \
--resource https://database.windows.net/ \
--query accessToken \
--output tsv)
echo "AZ_ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: build
run: # build db project
- name: Deploy to Azure SQL Database
uses: Azure/[email protected]
with:
connection-string: 'Server=<server>;Initial Catalog=<database>;Connection timeout=60;Encrypt=True'
path: # dacpac file
action: 'publish'
skip-firewall-check: true
arguments: /at:$AZ_ACCESS_TOKEN
The above fails with the error: Invalid connection string. Please ensure 'User' or 'User ID' is provided in the connection string.
Replacing the final deployment step with a direct call to sqlpackage and passing in the same arguments successfully deploys the dacpac, like so:
sqlpackage /Action:Publish /TargetConnectionString:"Server=<server>;Initial Catalog=<database>;Connection timeout=60;Encrypt=True;" /SourceFile:<dacpac> /at:$AZ_ACCESS_TOKEN
The use case for this is that I am deploying to an Azure SQL instance using a user assigned managed identity with federated credentials, running on a self hosted runner which has not been assigned the managed identity. Using Authentication=Active Directory Managed Identity requires that the MI has been assigned to the runner machine.