Table of Contents | ||||
---|---|---|---|---|
|
Liquibase Enterprise uses the Azure REST API to perform a point-in-time restore during packaging for Azure SQL Managed Instances. The Deployment Packager uses the Azure REST API to manage backup and restore operations for the reference database.
You can authenticate with the Azure Managed SQL Database REST API using certificates and a Client Secret
. In your Azure REST API settings, you can choose Certificate Authentication or Client Secret Authentication. Also, the following SqlServer
attributes are available in the Datical DB GUI:
Azure Client ID
Azure Tenant ID
Azure Client Secret (for Client Secret Authentication only)
Azure Resource Group
Azure Subscription ID
Instance Name
Info |
---|
The REST API Client Secret is a sensitive credential that should be treated with the same caution as database login credentials. It . For this reason, it is strongly recommended that this credential be provided at runtime in an environment variable and not stored in the GUI. For more information, see product documentation about the Runtime Credentials documentation. |
Additionally, ensure that you selected the Azure SQL Managed Instance connection type and entered the needed instance name.
...
Azure REST API Settings
Azure REST API settings contain the information about Azure SQL Managed Instance (subscriptionId
, tenantId
, and resourceGroup
) and the information about a service principal (password
and appId
, which are Azure Client Secret
and Client ID
respectively).
Info |
---|
Azure REST API settings are only required for |
...
Client Secret Authentication
A Client Secret Authentication requires two service principal attributes and the Azure SQL Managed Instance information – Azure Client Authentication
and Client ID
. Thus, you need to create a service principal to get a bearer token and to initiate a point-in-time backup for Azure SQL Managed Instance.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the The roles assigned to the service principal , giving you have control over which resources can be accessed and at which level. For more information, see Create an Azure service principal with the Azure CLI or Create a service principal using the Azure portal.
A bearer token is a security token that grants access to a protected resource. For more information, see OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform.
You can create a service principal through the Azure portal or CLI. For this, you You must have an Owner
role and specify it along with the resource group.
Expand | ||
---|---|---|
| ||
|
Once a service principal is successfully created, ensure the following attributes are available:
...
This configuration focuses on a single-tenant application where the application is intended to run within only one organization. You must have your permissions set to register an application with your Azure AD tenant and assign a role to the application in your Azure subscription. Also, when you register an application through the Azure portal, an application object and service principal is automatically created in your home directory or tenant.
Using Client Secret Authentication
Expand | ||||
---|---|---|---|---|
| ||||
To use Azure Active Directory Client Authentication in the CLI, you need to run the
There is no need to submit a username and password when you use Azure Active Directory Authentication.
You can find all arguments for the |
Expand | ||
---|---|---|
| ||
To use Azure Active Directory Client Authentication in the Datical DB GUI, follow these steps:
Now you can use Datical DB functionalities like the Deploy Packager backup and restore processes. For more information, see Packager backup and restore process for SQL Server and Azure SQL Managed Instance. |
Client Certificate Authentication
Client Certificate Authentication requires the Azure SQL Managed Instance information and the service principal attribute – Client ID
. To use a certificate authentication mechanism, you also need:
X509
certificates.A private key in a
pks8
format. You should decrypt it and use it without a password.Environment variables:
DDB_AZURE_CLIENT_CERT
is an absolute path to the client certificate.DDB_AZURE_CERT_KEY
is an absolute path to the private key for the client certificate.
Creating a Service Principal
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. The roles assigned to the service principal have control over which resources can be accessed and at which level. For more information, see Create an Azure service principal with the Azure CLI or Create a service principal using the Azure portal.
You can create a service principal through the Azure portal or CLI. You must have an Owner
role and specify it along with the resource group.
Expand | ||
---|---|---|
| ||
|
Once a service principal is successfully created, ensure the appId
(Client ID
) attribute is available.
Creating a Client Certificate and Private Key Using the OpenSSL Utility
Info |
---|
If you have the existing certificates, you can skip the following steps. |
To create an X509
certificate and private key, follow these steps:
In your OpenSSL, run the command by replacing values from the example with the values you use:
Code Block |
---|
openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout azure_test_pk.key
-out azure_test_certificate.crt -subj "/C=USA/ST=Texas/L=Austin/CN=www.liquibase.com/emailAddress=example@liquibase.com" |
The command will create the azure_test_certificate.crt
certificate file and azure_test_pk.key
private key file without a password.
Change the format of a private key file from
PEM
topks8
and decrypt it by running the following command and using your values:
Code Block |
---|
openssl pkcs8 -topk8 -inform PEM -outform DER -in azure_test_pk.key
-out azure_test_pk_decrypted.key -nocrypt |
The command will create azure_test_pk_decrypted.key
, which you can use for Azure Active Directory Client Certificate Authentication in Datical DB.
Uploading a Client Certificate to Azure App Registrations
Log in to your Microsoft Azure account.
Go to Azure Active Directory and select App registrations on the left side of the page.
Select All applications and choose an app that you want to use for the Azure SQL Managed Instance deployment.
On the left side of the page, select Certificates & secrets.
Select Upload certificate and upload the generated certificate.
Once you have the certificate and private key, you can use Azure Active Directory Client Certificate Authentication and run Deploy Packager.
Using Client Certificate Authentication
Expand | ||||
---|---|---|---|---|
| ||||
To use Azure Active Directory Client Certificate Authentication in the CLI, you need to:
There is no need to submit a username and password when you use Azure Active Directory Authentication.
You can find all arguments for the After running the |
Expand | ||
---|---|---|
| ||
Before you start using Datical DB GUI and configure Azure REST API settings to perform a point-in-time restore during packaging for Azure SQL Managed Instances, set the following environment variables on the system using certificate authentication with Datical DB:
To use Client Certificate Authentication in the Datical DB GUI, follow these steps:
Now you can use Datical DB functionalities like the Deploy Packager backup and restore processes. For more information, see Packager backup and restore process for SQL Server and Azure SQL Managed Instance. |