0

When I am using work load identity to connect to SQL Server in AKS using .NET framework, I am getting this error

login failed for identity principal user

I excepted to be able to connect successfully using workload identity.

Thanks in advance.

Improve this question
2
  • Are you saying that you're running ASP.NET (for .NET Framework - not ASP.NET Core) in a Container and you're also running MSSQL Server in another Container? Or both in the same container? Commented Jun 23, 2024 at 18:28
  • Same container only Commented Jun 24, 2024 at 2:28

1 Answer 1

Reset to default
0

If your error message says "login failed for identity principal user," it indicates that the permissions you have in SQL Server for the identity principal are insufficient. The identity has to have sufficient permissions to the SQL server. Use workload identity to set up and connect your SQL Server in the AKS cluster. To do so, ensure you have a managed identity available.

az identity create --resource-group arkorg --name downtime-identity

enter image description here

Note down the client ID and resource ID of the above-managed identity and assign the Managed Identity to the AKS cluster.

az aks update --resource-group arkorg --name downtime --enable-managed-identity --assign-identity <resource-id-of-downtime-identity>

enter image description here

Create an Azure AD User in SQL Server

Grant Necessary Permissions to the Managed Identity

CREATE USER [<client-id-of-downtime-identity>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<client-id-of-downtime-identity>];
ALTER ROLE db_datawriter ADD MEMBER [<client-id-of-downtime-identity>];

Update Your .NET Framework Application. Look at the Active Directory Managed Identity authentication section for better clarity.

Update your deployment YAML with the azure.workload.identity/client-id annotation

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sql-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sql-connection-app
  template:
    metadata:
      labels:
        app: sql-connection-app
      annotations:
        azure.workload.identity/client-id: 03843c85-abcd-efg-hijk-51f37blmnop
    spec:
      containers:
      - name: sql-connection-app
        image: arkoacr.azurecr.io/sql-connection-app:latest
        ports:
        - containerPort: 80

enter image description here

Reference:

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

your mixing both managed identity and work identity processes
This Command for az aks update --resource-group arkorg --name downtime --enable-managed-identity --assign-identity <resource-id-of-downtime-identity> only managed identity scenarios we mapping identity resource id.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.