Azure function - Import bacpac file from blob storage in Azure sql server - AAD token

0
votes

We want to import bacpac file from Blob storage into Azure SQL server thru Azure Functions which is Blob trigger function.

We have implemented it as follows

    log.Info($"C# Blob trigger function Processed blob\n Name:{name} \n Size: {myBlob.Length} Bytes");

var apimUrl = "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sqlRG/providers/Microsoft.Sql/servers/sqldev/import?api-version=2014-04-01";

var content = "{'databaseName': 'TestDbImport'," +
    "'edition': 'Basic'," +
    "'serviceObjectiveName': 'Basic'," +
    "'maxSizeBytes': '2147483648'," +
    "'storageKeyType': 'SharedAccessKey'," +
    "'storageKey': 'xxxxxxx'," +
    "'storageUri': 'https://account.blob.core.windows.net/sql-backup/test.bacpac'," +
    "'administratorLogin': 'user'," +
    "'administratorLoginPassword': 'password'," +
    "'authenticationType': 'SQL'}";

HttpClient Client = new HttpClient();

var AADToken = "token";

Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
Client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key","subKey");
var foo = Client.PostAsync(apimUrl, new StringContent(content.ToString())).Result;
log.Info($"result: {foo}");

I need help to understand how to get AADToken as well as subKey which needs to pass in header to authenticate this request (Also i am confused like why i need authenticate when everything will be executed within Azure itself)

If i do not pass header then getting 401 (unauthorized) error code.

1
sql-serverauthenticationazure-functionsazure-blob-storagebacpac

1 Answers

0
votes

It goes without saying that you will need to provide a valid bearer token to the request. You have a couple options to request a token.

Managed Service Identity

Managed Service Identities are relatively new introduced in the last year. Think of these as services accounts for your applications that allow them to talk with other applications. It's essentially abstracting away some of the complexity and manual steps to setting up and authenticating with Azure AD Apps (see below). More details can be found at https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity . Managed Service Identities are quickly becoming the default best practice azure resources authenticating each other.

Azure AD Application

This is the traditional way of accessing a token from within any service (cloud or on-premise):

  • Setup an Azure AD Application that your application will use to request tokens through. Azure AD is based on OAuth which supports various ways to request tokens. Due to the nature of your application executing without user interaction you will need to use a grant flow that does not require a user such as a client credential grant (start with a full trust app in Azure AD). Your Azure AD application will require the proper permissions to work with your resource.

  • I recommend using a client side library to assist in the various authentication flows. Most common one in .Net being the various ADAL libraries (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries)

  • Use the library in conjunction with your Azure AD app specific settings (client id, client secret, etc) to request a token. That token is passed in as part of your header on your http request. At the end of the day if you're using the ADAL library for .net your code will look something like this to request a token:

AuthenticationContext authenticationContext = new 
AuthenticationContext("https://login.microsoftonline.com/<tenantId>");
AuthenticationResult result = await 
authenticationContext.AcquireTokenAsync("https://resourceUrl",
                                                    clientCredential);

These are some pretty high level steps. Either way wether it be directly with an Azure AD app or through a managed service account you will need to provide access to the resource you are working with. I would suggest creating a new question if you have questions about specific steps\options as they are not anything specific to Azure Functions.