Is it possible to use azure managed identity with externalDatabase

[papanito]

I would like to use azure managed identity to connect to the postgres SQL database running in Azure.

We deploy netbox using the helm-chart which allows to provide the options External database configuration.

[Packet33r]

While I didn't do it via docker/helm charts I was able to successfully make it work well enough for my team leverage Azure Managed Identify for almost everything (The code for REDIS still leverages a secret, but I had some commented lines to leverage managed identity logins....)

This also pulls secrets from Azure keyvault leveraging the managed identity so there is no secrets in live code.

I'm also running a little older version, so it should still work for 4.2.x (I'm working on a project to update it right now) I can't guarantee it.

In configuration.py I made the following changes/tweaks to the default configuration.py file.

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from msal import PublicClientApplication


# Uncomment the following lines according to the authentication type.
# For system-assigned identity.
credential = DefaultAzureCredential()

# Acquire the access token for PostgreSQL DB Access
PSQLAccessToken = credential.get_token('https://ossrdbms-aad.database.windows.net')

# Aquire the access token for accessing REDIS Cache server - This should be a generic Enterprise Application in Entra already
REDISAccessToken = credential.get_token('acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default')



# Aquire KeyVault access token and  secret key
secret_client = SecretClient(vault_url="<Azure Keyvault URL>", credential=credential)
netbox_secret = secret_client.get_secret("<azure keyvault Netbox secret name>")
redis_secret = secret_client.get_secret("<azure keyvault REDIS secret name>")

DATABASE = {
    'ENGINE': 'django.db.backends.postgresql',  # Database engine
    'NAME': 'netbox',         # Database name
    'USER': '<managed identity name>',               # PostgreSQL username
    'PASSWORD': PSQLAccessToken.token,           # PostgreSQL password
    'HOST': '<Postgres server name>',      # Database server
    'PORT': '',               # Database port (leave blank for default)
    'CONN_MAX_AGE': 300,      # Max database connection age
    'OPTIONS': {'sslmode': 'require'},  #Require SSL for connection to PostGRE SQL database
}

# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
# to use two separate database IDs.
REDIS = {
    'tasks': {
        'HOST': '<Redis server URL>',
        'PORT': 6380,
        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
        # 'SENTINEL_SERVICE': 'netbox',
        'USERNAME':'',
        'PASSWORD':redis_secret.value,
        'DATABASE': 0,
        #Setting SSL to True for Azure REDIS Cache server requirement
        'SSL': True,
        # Set this to True to skip TLS certificate verification
        # This can expose the connection to attacks, be careful
        # 'INSECURE_SKIP_TLS_VERIFY': False,
        # Set a path to a certificate authority, typically used with a self signed certificate.
        # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
    },
    'caching': {
        'HOST': '<Redis server URL>',
        'PORT': 6380,
        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
        # 'SENTINEL_SERVICE': 'netbox',
        'USERNAME':'',
        'PASSWORD':redis_secret.value,
        'DATABASE': 1,
        #Setting SSL to True for Azure REDIS Cache server requirement
        'SSL': True,
        # Set this to True to skip TLS certificate verification
        # This can expose the connection to attacks, be careful
        # 'INSECURE_SKIP_TLS_VERIFY': False,
        # Set a path to a certificate authority, typically used with a self signed certificate.
        # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
    }
}

# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
# symbols. NetBox will not run without this defined. For more information, see
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
SECRET_KEY = netbox_secret.value

Below are a few links I leveraged to point me in the right direction in setting up the connections.

How to connect to Postgres with managed identity using python - https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/connect-python?tabs=cmd%2Cpasswordless
Documentation link about Enterprise App - https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication

The only issues I have run into is that I have a chron job to restart Netbox every 24 hours due to the managed identity password changing causing the connection to Postgres to break. It's one the things that I'm sure can be done a lot cleaner to dynamically update it versus restarting the service.

[papanito]

Interesting approach, thanks for the idea.

[Packet33r]

The more I think about this, it would probably be best to ask the Django community about this as netbox is built on it and I think this file is probably from Django.