diff --git a/plugins/inputs/sqlserver/README.md b/plugins/inputs/sqlserver/README.md index 5a22c6271..7e874a217 100644 --- a/plugins/inputs/sqlserver/README.md +++ b/plugins/inputs/sqlserver/README.md @@ -152,6 +152,10 @@ to use them. ## valid methods: "connection_string", "AAD" # auth_method = "connection_string" + ## ClientID is the is the client ID of the user assigned identity of the VM + ## that should be used to authenticate to the Azure SQL server. + # client_id = "" + ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2 ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type. ## Possible values for database_type are - "SQLServer" or "AzureSQLDB" or "AzureSQLManagedInstance" or "AzureSQLPool" @@ -291,6 +295,10 @@ in a connection string. To enable support for AAD authentication, we leverage the existing AAD authentication support. +If more then one managed identity is assigned to the VM. You need specify the +client_id of the identity you wish to use to authenticate with the SQL Server. +If only one is assigned you don't need so specify this value. + - Please see [SQL Server driver for Go](https://github.com/microsoft/go-mssqldb#azure-active-directory-authentication) ### How to use AAD Auth with MSI @@ -300,6 +308,9 @@ authentication support. - Configure "system-assigned managed identity" for Azure resources on the Monitoring VM (the VM that'd connect to the SQL server/database) [using the Azure portal](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm). - On the database being monitored, create/update a USER with the name of the Monitoring VM as the principal using the below script. This might require allow-listing the client machine's IP address (from where the below SQL script is being run) on the SQL Server resource. +In case of multiple assigned identities on one VM you can use the parameter +user_assigned_id to specify the client_id. + ```sql EXECUTE ('IF EXISTS(SELECT * FROM sys.database_principals WHERE name = '''') BEGIN diff --git a/plugins/inputs/sqlserver/sample.conf b/plugins/inputs/sqlserver/sample.conf index 315d59abd..37b31ec13 100644 --- a/plugins/inputs/sqlserver/sample.conf +++ b/plugins/inputs/sqlserver/sample.conf @@ -20,6 +20,10 @@ ## valid methods: "connection_string", "AAD" # auth_method = "connection_string" + ## ClientID is the is the client ID of the user assigned identity of the VM + ## that should be used to authenticate to the Azure SQL server. + # client_id = "" + ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2 ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type. ## Possible values for database_type are - "SQLServer" or "AzureSQLDB" or "AzureSQLManagedInstance" or "AzureSQLPool" diff --git a/plugins/inputs/sqlserver/sqlserver.go b/plugins/inputs/sqlserver/sqlserver.go index cfa9d5fd1..e87bc85b3 100644 --- a/plugins/inputs/sqlserver/sqlserver.go +++ b/plugins/inputs/sqlserver/sqlserver.go @@ -28,6 +28,7 @@ type SQLServer struct { Servers []*config.Secret `toml:"servers"` QueryTimeout config.Duration `toml:"query_timeout"` AuthMethod string `toml:"auth_method"` + ClientID string `toml:"client_id"` QueryVersion int `toml:"query_version" deprecated:"1.16.0;1.35.0;use 'database_type' instead"` AzureDB bool `toml:"azuredb" deprecated:"1.16.0;1.35.0;use 'database_type' instead"` DatabaseType string `toml:"database_type"` @@ -537,9 +538,17 @@ func (s *SQLServer) refreshToken() (*adal.Token, error) { } // get new token for the resource id - spt, err := adal.NewServicePrincipalTokenFromMSI(msiEndpoint, sqlAzureResourceID) - if err != nil { - return nil, err + var spt *adal.ServicePrincipalToken + if s.ClientID == "" { + spt, err = adal.NewServicePrincipalTokenFromMSI(msiEndpoint, sqlAzureResourceID) + if err != nil { + return nil, err + } + } else { + spt, err = adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, sqlAzureResourceID, s.ClientID) + if err != nil { + return nil, err + } } // ensure token is fresh