Skip to content

feat: Create Separate User Assigned Identity for SQL DB with Specified Access #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: fix: Dev to main merge
merged 5 commits into from
Sep 30, 2025
Merged

feat: Create Separate User Assigned Identity for SQL DB with Specified Access #688

merged 5 commits into from
Sep 30, 2025

Conversation

@Vamshi-Microsoft
Copy link
Contributor

Purpose

This pull request introduces a dedicated user-assigned managed identity for SQL database operations with limited permissions, separating it from the web app's managed identity. The infrastructure, environment outputs, deployment scripts, and backend code are updated to consistently use this new SQL-specific identity for database access, improving security and permission scoping. Additionally, minor improvements are made to resource naming and redundancy settings.

Managed Identity Separation and Security Improvements:

  • Added a new sqlUserAssignedIdentity resource in infra/main.bicep to serve as a dedicated managed identity for SQL operations, with limited permissions (db_datareader, db_datawriter).
  • Updated the Key Vault access policy to grant the new SQL managed identity the Key Vault Secrets User role.
  • Modified the web app deployment to assign both the general and SQL-specific managed identities, and updated the SQLDB_USER_MID environment variable to use the SQL identity's client ID. [1] [2]

Infrastructure and Output Adjustments:

  • Added outputs for the SQL managed identity's name and client ID, and clarified output descriptions. [1] [2]
  • Updated the SQL database redundancy configuration to use zoneRedundant and clarified availabilityZone assignment for Azure best practices.
  • Improved naming conventions for private DNS zone resources.

Script and Backend Refactoring:

  • Refactored process_sample_data.sh to use the SQL managed identity for database operations, including argument names, environment variable lookups, and user/role assignment logic. [1] [2] [3] [4]
  • Updated backend configuration (config.py and sqldb_service.py) to distinguish between the web app and SQL managed identities, using the correct identity for SQL authentication. [1] [2]

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

@Vamshi-Microsoft Vamshi-Microsoft merged commit 103420b into dev Sep 30, 2025
5 checks passed
@github-actions
Copy link

github-actions bot commented Oct 3, 2025

🎉 This PR is included in version 1.9.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vamshi-Microsoft @Prajwal-Microsoft