The Deployment Packager uses the Azure REST API to manage backup and restore operations for the reference database. You can authenticate with the Azure Managed Database REST API using the following SqlServer attributes in the Datical DB GUI:
Azure Client ID
Azure Tenant ID
Azure Client Secret
Azure Resource Group
Azure Subscription ID
Instance Name
The REST API Client Secret is a sensitive credential that should be treated with the same caution as database login credentials. It is strongly recommended that this credential be provided at runtime in an environment variable and not stored in the GUI. For more information, see product documentation about Runtime Credentials.
Additionally, ensure that you selected the Azure SQL Managed Instance connection type and entered the needed instance name.
Azure REST API Settings
Azure REST API settings contain the information about Azure SQL Managed Instance (subscriptionId, tenantId, and resourceGroup) and the information about a service principal (password and appId, which are Azure Client Secret and Client ID respectively).
Azure REST API settings are only required for Packager processes to support restore and backup operations. You don’t need to configure the Azure REST API settings to execute other commands such as Deploy, Forecast, and others.
You need to create a service principal to get a bearer token and to initiate a point-in-time backup for Azure SQL Managed Instance.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For more information, see Create an Azure service principal with the Azure CLI or Create a service principal using the Azure portal.
A bearer token is a security token that grants access to a protected resource. For more information, see OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform.
You can create a service principal through the Azure portal or CLI. For this, you must have an Owner role and specify it along with the resource group.
An example of the CLI commands and output for creating a service principal:
az login
az ad sp create-for-rbac -n "service_principal_name" --role Owner --scopes
/subscriptions/a365ee0452e-67hr-497d/resourceGroups/dev
Changing "service_principal_name" to a valid URI of
"http://service_principal_name", which is the required format used for
service principal names
Creating 'Owner' role assignment under scope '/subscriptions/a365ee0452e-67hr-497d/resourceGroups/dev'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
"appId": "et78acie-some-id",
"displayName": "service_principal_MI",
"name": "http://service_principal_MI",
"password": "bth6-some-password",
"tenant": "fd564a-some-tenant"
}
Once a service principal is successfully created, ensure the following attributes are available:
appId (Client ID)
password (Client Secret)
This configuration focuses on a single-tenant application where the application is intended to run within only one organization. You must have your permissions set to register an application with your Azure AD tenant and assign a role to the application in your Azure subscription. Also, when you register an application through the Azure portal, an application object and service principal is automatically created in your home directory or tenant.