Update all other Azure components to use the common auth layer (and support Azure AD auth)

[ItalyPaleAle]

This is a "spin-off" from #972 given how it was merged with only 2 components updated.

Goal of this issue is to track what Azure components still need to be updated to support authentication via the "common auth layer" (implemented in #972). This enables components to authenticate with Azure using Azure AD, including support for service principals and MSI.

While updating components to use the common Azure auth layer, we have been making sure (where appropriate/relevant) to also support for other Azure clouds (Azure China, Azure Germany, Azure Gov, and also Azure Stack) and even emulators when appropriate.

Here's the list of components that use Azure and their status:

• bindings/azure/blobstorage - Uses keys
  • Update for track2 SDK: [Azure][Track 2 SDK] Migrate Azure Blob Storage Binding #1530
  • 🛑 Waiting until new version of track2 SDK
• bindings/azure/cosmosdb
  • Support Azure AD auth for Cosmos DB #1104
  • Update for track 2 SDK: Adding in track2 SDK support for CosmosDB Bindings #1876
• bindings/azure/eventgrid - Currently supports client credentials auth but with its own logic
• bindings/azure/eventhubs - Uses keys
  • 🛑 Update for track 2 SDK: Blocked because the SDK is not yet available
• bindings/azure/servicebusqueues
  • Move Service Bus Pubsub/Binding to common auth #1201
  • Update for track 2 SDK: [Azure][Track 2 SDK] Migrate Azure Service Bus Queues Binding  #1531
• bindings/azure/signalr - Uses "connection strings"
  • Add support for Azure AD in SignalR binding #1843
  • Does not use a SDK
• bindings/azure/storagequeues - Uses keys
  • Add support for AAD auth in Azure Storage Queues binding #1842
  • 🛑 Update for track 2 SDK: Blocked because the SDK is not yet available
• pubsub/azure/eventhubs - Uses keys
  • rewrite EventHubs component #1292
  • 🛑 Update for track 2 SDK: Blocked because the SDK is not yet available
• pubsub/azure/servicebus
  • Move Service Bus Pubsub/Binding to common auth #1201
  • Update for track 2 SDK: [Azure][Track 2 SDK] Migrate Azure Service Bus PubSub #1532
• secretstores/azure/keyvault
  • Updated to use common Azure auth logic #972
  • Update for track 2 SDK: Azure SDK "track 2": authentication and secretstore/azure/keyvault #1290
• state/azure/blobstorage
  • Updated to use common Azure auth logic #972
  • Update fo track2 SDK: [Azure][Track 2 SDK] Migrate Azure Blobstorage State Store #1529
• state/azure/cosmosdb
  • Support Azure AD auth for Cosmos DB #1104
  • Update for track 2 SDK: [Azure][Track 2 SDK] Migrate Cosmos DB State Store #1526
• state/azure/tablestorage - Uses keys
  • Complete via track2 SDK update
  • Update for track2 SDK: [Azure][Track 2 SDK] Migrate Azure Table Storage State Store #1528

[dapr-bot]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

[ItalyPaleAle]

👋 bot!

[artursouza]

It is pinned now.

[halspang]

Azure Service Bus pubsub and bindings are handled in: #1201

This was done as part of the GAing process for the binding and I figured while I was there I'd get pubsub too.

[ItalyPaleAle]

With #1290 I'm adding support for authenticating against the new "track 2" SDKs and I've updated the Key Vault secret store component. Support for the new auth library is required for all new SDKs, including Table Storage and the upcoming Cosmos DB.

[berndverst]

Needs to be implemented in EventHubs. Probably together with this issue: #2101

[onionhammer]

Is there support for using Azure CLI to retrieve credentials when running locally?

[ItalyPaleAle]

At this point, it seems all Azure components support Azure AD.

Almost all have also been updated to the "track 2" SDKs, with the only exception being Azure Storage Queues. That SDK is expected in a few weeks / months, so we'll do the upgrade once it's available.

Probably safe to close this issue @berndverst

[ana-cozma]

Is there a plan to include support for MSI for Event Grid as well anytime soon?

[ItalyPaleAle]

@ana-cozma Event Grid should work with MSI in Dapr 1.10

[berndverst]

This is now complete in Dapr 1.11 (Storage Queues was upgraded as well)

[giovanidecusati]

Hi Team!

We are trying to use "state.sqlserver" component configured to use User-Managed-Identity to connect to Azure SQL Server Database instance. Is that supported?

I'm facing this issue when trying to connect to SQL:
[INIT_COMPONENT_FAILURE]: initialization error occurred for <componentName>-statestore (state.sqlserver/v1): failed to create db database: mssql: login error: Login failed for user '<MyUserManagedIdentityClientId>'." app_id=<appid> instance=<revisionInstance> scope=dapr.runtime type=log ver=1.10.4-msft-2

SqlConnectionString:
Server=<MySqlServerInstance>.database.windows.net;Authentication=**Active Directory Managed Identity**;Encrypt=True;User Id=<MyUserManagedIdentityClientId>;Database=<MyDatabaseName>

We are deploying via Bicep Tempalte:
resource resource_daprSecretStore 'Microsoft.App/managedEnvironments/daprComponents@2022-06-01-preview' = { name: statestoreName parent: resource_environment properties: { componentType: 'state.sqlserver' version: 'v1' metadata: [ { name: 'connectionString' secretRef: keyVaultConenctionStringSecretName } { name: 'tableName' value: tableName } { name: 'schema' value: schemaName } ] scopes: [ daprAppName ] secretStoreComponent: secretStoreName } }

Appreciate any help, thanks!

[ItalyPaleAle]

@giovanidecusati thanks for the report. I've created a new issue for this #2726
This way we can keep track of that, since this is a closed issue for work that's been completed