Adding support for MSI (Managed Service Identities), and AccessTokens… #222
Conversation
… in sqlConnections.
|
Just to note that I have added dependencies which may well actually preclude merging, primarily I am just looking for discussion and feedback. If the end result does however prove useful for others that would be be great too. |
|
Hi @darrenschwarz! Thank you for the PR. It seems to be a very useful enhancement. I'm currently in the process of doing a lot of refactoring and cleanup work in the sink to make the code better testable and readable and remove some potentially problematic stuff like missing using blocks and writeable static properties. Also I'm adding lots of unit tests. I would really like to integrate your enhancement but due to the changes in the dev branch the PR will not be able to merge easily. But I promise to add your contribution after I'm done with the refactoring. |
|
I have now completed integrating Azure Managed Identites as sketched in this PR into the dev branch. Serilog.Sinks.MSSqlServer.5.4.0-dev-00304.nupkg was published to nuget.org and is available for testing. I had no opportunity to test the feature yet myself. So, if you @darrenschwarz, or anyone else who has Azure Managed Identities available, could help and try it, that would be great. Version 5.4.0 allows to intialize the sink for using Azure MSI. Log.Logger = new LoggerConfiguration()
.WriteTo.MSSqlServer(
connectionString: "Server=...",
sinkOptions: new SinkOptions
{
TableName = "LogEventsTable",
AutoCreateSqlTable = true,
UseAzureManagedIdentity = true,
AzureServiceTokenProviderResource = "..."
})
.CreateLogger(); |
|
@ckadluba love seeing all the progress being made on this sink :-) 👍 |
|
I was able to test the Azure Managed Identities authentication with 5.4.0-dev-00304. Here are two screenshots I made during the tests. This one shows the test program I used.
And here are the resulting log events in the Azure SQL database.
I will still leave this PR open and invite others to report their test results here. |
Thank you very much! 😊 |
|
Hi ckadluba, |
|
@aasif2727 Very good! Please try it out. It would help us a lot. You can supply column options by passing the columnOptions parameter as documented here. https://github.com/serilog/serilog-sinks-mssqlserver#code-only-any-net-target |
Hi Guys, Apologies for delayed response. Thanks for taking a look, and really glad it's proved useful. I'll get round to further review asap. |
Hey Guys, JUst spoken with guys on my current project, and we'll get the updates tested, and integrated. Will keep you updated. |
Cool! Thank you very much. This could help us get a regular 5.4.0 release out soon. Please let me know if I can help you with anything. |
Maybe we could catch up on Monday, it would be useful to discuss an optimal test plan. We are keen to get back to inclusion of a regular release in our project. |
FYI, twas an expected hectic start to the week, nevertheless I do intend completing tests in the next couple of days, and will post outcomes here. @ckadluba when done what might be the best channel for a more fluid catch-up? |
Your help is very appreciatet, but no hassle :). Just post results or questions here whenever you are ready, I think it's the best place for now. |
|
|
@ckadluba to save me some time can you provide an example appsettings.json excerpt to provide the settings? |
Yes, this is similar to the settings that I used. Look at the screenshots above. There you can see my full init code for the sink. The sample app had no appsettings.json. It used only the init code shown in the screenshots. Anyway, a sample appsettings.json containing the Azure Managed Identities properties can be found here (Azure MSI is not activated but still you can see the required structure of the config file): Some questions:
Regarding screen sharing. Yes, this would be possible. But I would not like to disclose my mail address here. What times and dates would be possible for you to do a session? |
So the good news is as I suspected the issue was with config. Using the simple config as below everything works as one would hope.
Where there is still as issue is with the current config used in Prod similar to below:
@ckadluba I'll get back to you later today with date/times that we could catch up. |
|
@darrenschwarz Glad to hear that. The problem seems to be the parameter structure. The sink has a new interface using a Try to change this "AuditTo": [
{
"Name": "MSSqlServer",
"Args": {
"connectionString": "DefaultConnection",
"schemaName": "dbo",
"tableName": "MyAuthAuditTable",
"restrictedToMinimumLevel": "Information",
"useAzureManagedIdentity": true,
"azureServiceTokenProviderResource": "https://database.windows.net/"
}
}
]to that: "AuditTo": [
{
"Name": "MSSqlServer",
"Args": {
"connectionString": "DefaultConnection",
"restrictedToMinimumLevel": "Information",
"sinkOptionsSection": {
"schemaName": "dbo",
"tableName": "MyAuthAuditTable",
"useAzureManagedIdentity": true,
"azureServiceTokenProviderResource": "https://database.windows.net/"
}
}
}
] |
Aha new interface only! Of course makes a lot of sense
This test is using an instance of Identity Server as a means to raise some events for logging / audit as below....
In Program.cs and appsettings.json...
Happy days! All working as expected...
...and looks good to go. :) |
Very cool! Thank you for the contribution and for testing. 👍 I will close this PR now and make a 5.4.0 release soon. |
@ckadluba you can send me contact details to contactforpr222@gmail.com. Thanks |
Hi Guys,
Recently we have had requirement imposed that all sql connections in azure are made use MSI, and hence the need to add token access support.
I'd really appreciate it if anyone has the time to review this implementation.
Scathing criticism welcome <winces> :o)
Thanks