Configuring Azure AD with PostgreSQL in TSB
This guide explains how to integrate Azure Active Directory (now Microsoft Entra ID) with Tetrate Service Bridge (TSB) to enable authentication for TSB components (e.g., the TSB API server) running in Azure Kubernetes Service (AKS) when interacting with Azure PostgreSQL without storing sensitive credentials in Kubernetes Secrets.
Before you begin:
✓ Make sure kubectl or helm is set up to communicate with your management cluster.
✓ Make sure Azure CLI is set up to your Azure subscription.
Replace the placeholder values enclosed in angle brackets with the corresponding real values. You can modify all other values to suit your specific needs.
If you have already completed some of the steps in this guide, you can skip them and go to the next step.
Enabling OIDC and Azure Workload Identity on your AKS cluster
You need to enable OIDC and Azure Workload Identity on your AKS cluster. You can use following command to enable OIDC and Azure Workload Identity on your existing AKS cluster:
export RESOURCE_GROUP="<your-azure-resource-group>"
export LOCATION="<your-azure-region>"
export CLUSTER_NAME="<your-aks-name>"
az aks update \
-g $RESOURCE_GROUP \
-n $CLUSTER_NAME \
--enable-oidc-issuer \
--enable-workload-identity
Setting up a managed identity
Create a managed identity for TSB to use when authenticating with Azure PostgreSQL.
export USER_ASSIGNED_IDENTITY_NAME="passswordless-tsb-identity"
az identity create \
--name $USER_ASSIGNED_IDENTITY_NAME \
--resource-group $RESOURCE_GROUP \
--location $LOCATION
Then gather its ID for next steps
export IDENTITY_CLIENT_ID=$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'clientId' -otsv)
Create a PostgreSQL server
Make sure that the PostgreSQL server is configured to allow access from the AKS cluster. You can do this by enabling public access, adding the AKS cluster's IP address to the server's firewall rules or using Private Endpoints.
Azure Database for PostgreSQL has two modes: Single Server and Flexible Server. You can use either mode with TSB.
export DATABASE_SERVER_NAME="tsb-postgres"
export DATABASE_LOCAL_USER="tsbpguser"
export DATABASE_PASSWORD="<very-secure-password>"
export DATABASE_NAME="tsb"
- Flexible Server
- Single Server
Create a PostgreSQL server
az postgres flexible-server create \
--name $DATABASE_SERVER_NAME \
--resource-group $RESOURCE_GROUP \
--sku-name Standard_D2s_v3 \
--admin-user $DATABASE_LOCAL_USER \
--admin-password $DATABASE_PASSWORD \
--active-directory-auth enabled
Create a firewall rule to allow access from the AKS cluster
az postgres flexible-server firewall-rule create \
--resource-group $RESOURCE_GROUP \
--name $DATABASE_SERVER_NAME \
--rule-name $DATABASE_SERVER_NAME-database-allow-local-ip \
--start-ip-address 0.0.0.0 \
--end-ip-address 255.255.255.255 \
-o tsv
Create a database that will be used by TSB
az postgres flexible-server db create \
--resource-group $RESOURCE_GROUP \
--database-name $DATABASE_NAME \
--server-name $DATABASE_SERVER_NAME \
-o tsv
Create a PostgreSQL server
az postgres server create \
--resource-group $RESOURCE_GROUP \
--name $DATABASE_SERVER_NAME \
--location $LOCATION \
--sku-name B_Gen5_1 \
--storage-size 5120 \
--admin-user $DATABASE_LOCAL_USER \
--admin-password $DATABASE_PASSWORD \
-o tsv
Create a firewall rule to allow access from the AKS cluster
az postgres server firewall-rule create \
--resource-group $RESOURCE_GROUP \
--name $DATABASE_SERVER_NAME-database-allow-local-ip \
--server $DATABASE_SERVER_NAME \
--start-ip-address 0.0.0.0 \
--end-ip-address 255.255.255.255 \
-o tsv
Create a database that will be used by TSB
az postgres db create \
--resource-group $RESOURCE_GROUP \
--name $DATABASE_NAME \
--server-name $DATABASE_SERVER_NAME \
-o tsv
Configure Azure AD authentication for PostgreSQL
You need Azure AD admin credentials to configure Azure AD authentication for PostgreSQL. You can use following command to put yourself as an Azure AD Admin so you can complete this step.
- Flexible Server
- Single Server
export DATABASE_AAD_ADMIN_OBJECT_ID=$(az ad signed-in-user show --query "[id]" -o tsv)
export DATABASE_AAD_ADMIN_NAME=$(az ad signed-in-user show --query "[userPrincipalName]" -o tsv)
az postgres flexible-server ad-admin create \
--server-name $DATABASE_SERVER_NAME \
-g $RESOURCE_GROUP \
--display-name $DATABASE_AAD_ADMIN_NAME \
--object-id $DATABASE_AAD_ADMIN_OBJECT_ID
export DATABASE_AAD_ADMIN_OBJECT_ID=$(az ad signed-in-user show --query "[id]" -o tsv)
export DATABASE_AAD_ADMIN_NAME=$(az ad signed-in-user show --query "[userPrincipalName]" -o tsv)
az postgres server ad-admin create \
--server-name $DATABASE_SERVER_NAME \
-g $RESOURCE_GROUP \
--display-name $DATABASE_AAD_ADMIN_NAME \
--object-id $DATABASE_AAD_ADMIN_OBJECT_ID
Then create user in PostgreSQL server that connected to previously created managed Identity. Before you continue, get managed identity client id and database name from previous steps:
echo $IDENTITY_CLIENT_ID
echo $DATABASE_NAME
Login to the PostgreSQL server using the Azure AD admin credentials you created earlier.
- Flexible Server
- Single Server
export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)
psql "host=$DATABASE_SERVER_NAME.postgres.database.azure.com port=5432 dbname=postgres user=$DATABASE_AAD_ADMIN_NAME sslmode=require"
export DATABASE_APPLICATION_USER=$DATABASE_AAD_ADMIN_NAME@$DATABASE_SERVER_NAME
export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)
psql "host=$DATABASE_SERVER_NAME.postgres.database.azure.com port=5432 dbname=$DATABASE_NAME user=$DATABASE_APPLICATION_USER sslmode=require"
In the psql shell, run the following commands to create a user that linked to managed identity and grant it access to the database. Replace <IDENTITY_CLIENT_ID>
and <DATABASE_NAME>
with the corresponding real values that you got above.
In the following example, you use tsbaduser
as the database user name that TSB will use.
You will use this name later when configuring TSB PostgreSQL data store.
- Flexible Server
- Single Server
select * from pgaadauth_create_principal_with_oid('tsbaduser', '<IDENTITY_CLIENT_ID>', 'service', false, false);
select * from pgaadauth_list_principals(false);
SET aad_validate_oids_in_tenant = off;
CREATE ROLE tsbaduser WITH LOGIN PASSWORD '<IDENTITY_CLIENT_ID>' IN ROLE azure_ad_user;
GRANT ALL PRIVILEGES ON DATABASE <DATABASE_NAME> TO tsbaduser;
Then exit the psql shell.
At this point, you have a PostgreSQL server configured to allow access from the AKS cluster and a database user that can access the TSB database using Azure AD authentication.
Create the federated credential
Create a federated credential for the managed identity you created earlier. This credential will be used by TSB to authenticate with Azure PostgreSQL. You need create two federated credentials, one for the TSB API server and one for the TSB IAM server service account since both of them need to access Azure PostgreSQL.
Get the OIDC issuer URL for your AKS cluster:
export AKS_OIDC_ISSUER=$(az aks show -n ${CLUSTER_NAME} -g ${RESOURCE_GROUP} --query 'oidcIssuerProfile.issuerUrl' -otsv)
The service account name for TSB API server is tsb-tsb
and the service account name for TSB IAM server is tsb-iam
.
Do not change these names.
Create the federated credential for the TSB API server:
export FEDERATED_IDENTITY_CREDENTIAL_NAME="tsb-federated-identity"
export NAMESPACE_NAME="tsb"
export SERVICE_ACCOUNT_NAME="tsb-tsb"
az identity federated-credential create \
--name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
--identity-name ${USER_ASSIGNED_IDENTITY_NAME} \
--resource-group ${RESOURCE_GROUP} \
--issuer ${AKS_OIDC_ISSUER} \
--subject system:serviceaccount:${NAMESPACE_NAME}:${SERVICE_ACCOUNT_NAME}
Then create another federated credential for the TSB IAM server service account:
export FEDERATED_IDENTITY_CREDENTIAL_NAME="tsb-iam-federated-identity"
export SERVICE_ACCOUNT_NAME="tsb-iam"
az identity federated-credential create \
--name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
--identity-name ${USER_ASSIGNED_IDENTITY_NAME} \
--resource-group ${RESOURCE_GROUP} \
--issuer ${AKS_OIDC_ISSUER} \
--subject system:serviceaccount:${NAMESPACE_NAME}:${SERVICE_ACCOUNT_NAME}
Configure TSB
Now you can configure TSB to use the federated credential you created earlier to authenticate with Azure PostgreSQL. Configure your Management Plane Helm values or CR with following entry under spec.dataStore.postgres
. Replace placeholder values with the corresponding real values.
- Flexible Server
- Single Server
postgres:
address: <DATABASE_SERVER_NAME>.postgres.database.azure.com:5432
sslMode: require
azureIdentity:
clientId: <IDENTITY_CLIENT_ID>
userName: tsbaduser
tokenTtl: 3600s
name: <DATABASE_NAME>
...
postgres:
address: <DATABASE_SERVER_NAME>.postgres.database.azure.com:5432
sslMode: require
azureIdentity:
clientId: <IDENTITY_CLIENT_ID>
userName: tsbaduser@<DATABASE_SERVER_NAME>
tokenTtl: 3600s
name: <DATABASE_NAME>
...
The minimum token TTL is 3600s (1 hour). You can increase this value to reduce the number of token refreshes. See here for more information.
Then apply your changes. This new configuration enable TSB pods in AKS to access Azure PostgreSQL via federated credentials.
Troubleshooting
If you encounter any issues
- Check the
tsb
oriam
logs for more information. - Make sure that you use correct database name and address.
- Make sure that you use correct database user name that linked to managed identity.