Use Azure Service Principal to Access Azure Resources

You can use an Azure service principal with Autonomous Database to access Azure resources without having to create and store your own credential objects in the database.

Enable Azure Service Principal

Enable Azure service principal authentication to allow Autonomous Database to access Azure services without providing long-term credentials.

Note

To use Autonomous Database with Azure service principal authentication you need a Microsoft Azure account. See Microsoft Azure for details.

To enable Azure service principal authentication on Autonomous Database:

  1. Obtain your Microsoft Azure Active Directory tenant ID.
  2. Enable Azure service principal with DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH.

    For example:

    BEGIN
        DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
            provider => 'AZURE',
            username => 'adb_user',
            params   => JSON_OBJECT('azure_tenantid' value 'azure_tenantID'));
    END;
    /

    This enables Azure service principal authentication and creates an Azure application on Autonomous Database.

    If you want the specified user to have privileges to enable Azure service principal for other users, set the params parameter grant_option to TRUE.

    For example:

    BEGIN
        DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
            provider => 'AZURE',
            username => 'adb_user',
            params   => JSON_OBJECT('grant_option' value TRUE, 
                                    'azure_tenantid' value 'azure_tenantID'));
    END;
    /

    After you run this command, adb_user can enable Azure service principal for another user. For example, if you connect as adb_user, you can run the following command:

    BEGIN
        DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
            provider => 'AZURE',
            username => 'adb_user2');
    END;
    /

See ENABLE_PRINCIPAL_AUTH Procedure for more information.

Provide Azure Application Consent and Assign Roles

To access Azure resources from Autonomous Database with Azure service principal authentication you must consent the Azure application and assign roles to allow access to your Azure resources.

To provide Azure application consent and assign roles, perform the following steps:

  1. On Autonomous Database query CLOUD_INTEGRATIONS.

    For example:

    SELECT param_name, param_value FROM CLOUD_INTEGRATIONS;
    
    PARAM_NAME        PARAM_VALUE
    --------------- ------------------------------------------------------------------------------------------------------------------------------------------
    azure_tenantid    29981886-6fb3-44e3-82ab-d870b0e8e7eb
    azure_consent_url https://login.microsoftonline.com/f8cdef31-91255a/oauth2/v2.0/authorize?client_id=d66f1b5-1250d5445c0b&response_type=code&scope=User.read
    azure_app_name    ADBS_APP_OCID1.AUTONOMOUSDATABASE.REGION1.SEA.ANZWKLJSZLYNB3AAWLYL3JVC4ICEXLB3ZG6WTCX735JSSY2NRHOBU4DZOOVA

    The view CLOUD_INTEGRATIONS is available to the ADMIN user or to a user with DWROLE role.

  2. In a browser, open the Azure consent URL, specified by the azure_consent_url parameter.

    For example, copy and enter the URL in your browser:

    https://login.microsoftonline.com/f8cdef31-91255a/oauth2/v2.0/authorize?client_id=d66f1b5-1250d5445c0b&response_type=code&scope=User.read

    The Permissions requested page opens and shows a consent request, similar to the following:

    Description of azure_consent.png follows
  3. To provide consent click Accept.
  4. On the Microsoft Azure console, assign the roles you want to grant to allow access to the specified Azure resources.

    For example, if you want to access Azure Blob Storage from Autonomous Database, assign roles so that the Azure application (the service principal) has access to Azure Blob Storage.

    Note

    To work with Azure Blob Storage, you need an Azure storage account. If you do not have an Azure storage account, create a storage account. See Create a storage account for more information.
    1. On the Microsoft Azure console, under Azure services, select Storage accounts.
    2. Under Storage accounts, click the storage account you want to grant service principal access to.
    3. On the left, click Access Control (IAM).
    4. From the top area, click + Add → Add role assignment.
    5. In the search area enter text to narrow the list of roles that you see. For example, enter Storage Blob to show the available roles that contain Storage Blob.
    6. Select one or more roles as appropriate for the access you want to grant. For example, select Storage Blob Data Contributor.
    7. Click Next.
    8. In the Add role assignment, under Members click + Select members.
    9. Under Select members, in the select field, enter the azure_app_name listed in Step 1 (the param_value column of the CLOUD_INTEGRATIONS view).
    10. Select the application.

      For example, click ADBS_APP_OCID1.AUTONOMOUSDATABASE.REGION1.SEA.ANZWKLJSZLYNB3AAWLYL3JVC4ICEXLB3ZG6WTCX735JSSY2NRHOBU4DZOOVA

    11. Click Select.
    12. Click Review + assign.
  5. Click Review + Assign again.

    After assigning a role you need to wait, as role assignments may take up to five minutes to propagate in Azure.

This example shows steps to grant roles for accessing Azure Blob Storage. If you want to provide access for other Azure services you need to perform equivalent steps for the additional Azure services to allow the Azure application (the service principal) to access the Azure service.

Use Azure Service Principal with DBMS_CLOUD

When you make DBMS_CLOUD calls to access Azure resources and specify the credential name as AZURE$PA, the authentication on the Azure side happens using the Azure service principal.

If you have not already done so, perform the required prerequisite steps:

To use a DBMS_CLOUD procedure or function with Azure service principal, specify AZURE$PA as the credential name. For example, you can access Azure Blob Storage using Azure service principal credentials as follows:

SELECT * FROM DBMS_CLOUD.LIST_OBJECTS('AZURE$PA', 'https://treedata.blob.core.windows.net/treetypes/');

OBJECT_NAME BYTES CHECKSUM                 CREATED              LAST_MODIFIED        
----------- ----- ------------------------ -------------------- -------------------- 
trees.txt      58 aCB1qMOPVobDLCXG+2fcvg== 2022-04-07T23:03:01Z 2022-04-07T23:03:01Z

If you compare the steps required to access object storage, as shown in Create Credentials and Copy Data into an Existing Table, notice that Step 1, creating credentials is not required because you are using an Azure service principal called AZURE$PA.

Disable Azure Service Principal

To disable access to Azure resources from Autonomous Database with Azure service principal, use DBMS_CLOUD_ADMIN.DISABLE_PRINCIPAL_AUTH.

To disable Azure service principal on Autonomous Database:

BEGIN
    DBMS_CLOUD_ADMIN.DISABLE_PRINCIPAL_AUTH(
        provider => 'AZURE',
        username => 'adb_user');
END;
/

When the provider value is AZURE and the username is a user other than the ADMIN user, the procedure revokes the privileges from the specified user. In this case, the ADMIN user and other users can continue to use ADMIN.AZURE$PA and the application that is created for the Autonomous Database instance remains on the instance.

When the provider value is AZURE and the username is ADMIN, the procedure disables Azure service principal based authentication and deletes the Azure service principal application on the Autonomous Database instance. In this case, if you want to enable Azure service principal you must perform all the steps required to use Azure service principal again, including the following:

See DISABLE_PRINCIPAL_AUTH Procedure for more information.

Notes for Azure Service Principal

Notes for using Azure service principal.

  • Cloning an Autonomous Database instance with Azure service principal: When you clone an instance with Azure service principal enabled, the Azure service principal configuration is not carried over to the clone. Perform the steps to enable Azure service principal on the clone if you want to enable Azure service principal on a cloned instance.