SQLPACKAGE使用通用身份验证部署DACPAC文件
我有一个 Azure DevOps YAML 管道,当前正在使用 SQLPackage.exe 部署我的 Azure SQL 数据库,并使用相当标准的命令进行 SQL 身份验证:
SqlPackage.exe /Action:Publish /SourceFile:"mydb01.dacpac" /TargetServerName:"mysqlserver.database.windows.net" /TargetDatabaseName:"mydb01" /TargetUser:"sqladmin" /TargetPassword:"mypwd"
我现在想要创建可以与 SSMS 中的“Azure Active Directory - Universal with MFA”选项连接的数据库用户。为此,已在 Azure AD 中创建了一个服务帐户,并在 Azure 门户中的 Azure SQL Server 配置下分配为“Azure Active Directory 管理员”。
SQL 数据库项目具有使用此命令创建的用户:
CREATE USER [[email protected]]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
ALTER ROLE db_datareader ADD MEMBER [[email protected]]
使用先前的命令部署 .dacpac 文件会导致此错误,这是可以理解的:
无法创建主体“[电子邮件受保护]”。仅有的 使用 Active Directory 帐户建立的连接可以创建 其他 Active Directory 用户
如果我从笔记本电脑本地使用此命令来部署数据库:
SqlPackage.exe /Action:Publish /SourceFile:"mydb01.dacpac" /TargetServerName:"mysqlserver.database.windows.net" /TargetDatabaseName:"mydb01" /ua:True /tid:mydomain.onmicrosoft.com
将显示一个交互式弹出窗口,我现在在其中输入此 Azure SQL Server 的 AAD 管理员的凭据,部署工作正常,之后域用户“User01”可以使用带有 MFA 的通用身份验证连接到数据库。
现在真正的问题是如何避免此交互式弹出窗口,因为我希望自动执行此操作而无需输入凭据?我想使用 AAD 集成在我的 Azure DevOps YAML 管道中自动执行数据库部署。
I have an Azure DevOps YAML pipeline that is currently deploying my Azure SQL database with SQLPackage.exe and SQL Authentication with pretty standard command:
SqlPackage.exe /Action:Publish /SourceFile:"mydb01.dacpac" /TargetServerName:"mysqlserver.database.windows.net" /TargetDatabaseName:"mydb01" /TargetUser:"sqladmin" /TargetPassword:"mypwd"
I now want to create db users that can connect with "Azure Active Directory - Universal with MFA" option in SSMS. For that a service account has been created in Azure AD and assigned as "Azure Active Directory admin" under Azure SQL Server configuration in Azure Portal.
The SQL database project has users created with this command:
CREATE USER [[email protected]]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
ALTER ROLE db_datareader ADD MEMBER [[email protected]]
Deploying the .dacpac file with previous command results in this error, which is understandable:
Principal '[email protected]' could not be created. Only
connections established with Active Directory accounts can create
other Active Directory users
If I use this command locally from my laptop to deploy the database:
SqlPackage.exe /Action:Publish /SourceFile:"mydb01.dacpac" /TargetServerName:"mysqlserver.database.windows.net" /TargetDatabaseName:"mydb01" /ua:True /tid:mydomain.onmicrosoft.com
an Interactive pop-up is shown where I now input credentials for the AAD admin for this Azure SQL Server and deployment works and afterwards the domain user "User01" can connect to the database using Universal Authentication with MFA.
Now the real question is how can I avoid this Interactive Pop-up, as I want to have this automated without the need to input credentials? I want automate the database deployment in my Azure DevOps YAML pipeline by using AAD integration.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您必须设置名为 Azure DevOps 中的服务连接,并为其授予读取和写入数据库所需的权限。创建服务连接后,它将出现在“Azure 订阅”下拉列表中,当您单击 YAML 中的“设置”位时,该下拉列表会出现:
需要
db_owner权限数据库和读者权限在广告上。您可能需要 AD 管理员的一些帮助。这将避免以下错误:一个简单的示例:
我们必须等待才能进行此设置,尤其是 AAD 位,所以我很早就将 AAD 安全性与数据库项目分离,并将其作为每个环境的一次性手动部署作为解决方法。
You have to set up something called a Service Connection in Azure DevOps and give it the permissions it needs to read and write to the database. When you have created the service connection it will appear in the dropdown for 'Azure Subscriptions' which appears when you click the Settings bit in YAML:
It will need
db_ownerpermissions on the database and reader permissions on the AD. You may need some help from your AD admins. This will avoid the following error:A simple example:
We had to wait to get this set up, particularly the AAD bit so early on I decoupled AAD security from the database project and did them as one-off manual deployments per environment as a workaround.