I'm running a MySql database on Azure. My ultimate goal is to add an AADUser to the database from a pipeline in Azure DevOps. An AADUser can only be added by the AADAdmin. So I was thinking to create an AADAdmin based on the service principal that Azure DevOps uses to connect to Azure (service connection).
I have done the following steps:
- In the portal, lookup the objectId of the service principal that is linked to my service connection ('Unicorn Dev') in Azure DevOps.
- Create the AADAdmin with that objectId:
az mysql server ad-admin create --server-name mydb -g myrg --display-name devops_service_connection_dev@mydb --object-id d5ab6ee1-55d4-4c78-ae71-d49526310733. (I can see this user in the database after running the command). See https://learn.microsoft.com/en-us/cli/azure/mysql/server/ad-admin?view=azure-cli-latest#az_mysql_server_ad_admin_create - Try to connect to the database from a pipeline in Azure DevOps:
- task: AzureCLI@2
inputs:
azureSubscription: 'Unicorn Dev'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: 'mysql -h mydb.mysql.database.azure.com --user devops_service_connection_dev@mydb --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken` --ssl-ca=BaltimoreCyberTrustRoot.crt.pem --enable-cleartext-plugin;'
This command fails with the following error:
ERROR 1045 (28000): Access denied for user 'devops_service_connection_dev@mydb'@'51.144.241.08' (using password: YES)
The task does generate an access token, and when running the same script with that access token in the Cloud Shell, I get the same error.
Some help would be greatly appreciated!
