AgentSkillsCN

azure-postgres-entra-rbac-setup

按照 Conventional Commits 规范,生成格式规范的 Git 提交。当您需要提交更改、创建提交、暂存并提交文件,或被要求以规范的提交信息保存工作时,可使用此技能。

SKILL.md
--- frontmatter
name: azure-postgres-entra-rbac-setup
description: Set up Microsoft Entra ID (Azure AD) authentication for Azure Database for PostgreSQL Flexible Server. Use this skill when users need to configure passwordless authentication, map Azure identities to PostgreSQL roles, grant database permissions, set up managed identity access, configure group-based access control, troubleshoot authentication failures, or migrate from password-based authentication to Entra ID.

Azure PostgreSQL Entra ID RBAC Setup

This skill helps users set up Microsoft Entra ID (formerly Azure AD) authentication for Azure Database for PostgreSQL Flexible Server. It guides users through the confusing two-layer mapping: Azure Identity → PostgreSQL Role → Database Permissions.

Skill Activation Triggers

Use this skill immediately when the user asks to:

  • "Set up Entra ID authentication for PostgreSQL"
  • "Configure passwordless access to my PostgreSQL database"
  • "Add a user/developer to my Azure PostgreSQL using their Azure identity"
  • "Set up managed identity for my app to access PostgreSQL"
  • "Configure group-based access to PostgreSQL"
  • "I'm getting authentication errors connecting to PostgreSQL with Entra"
  • "Migrate from password authentication to Entra ID for PostgreSQL"
  • "How do I connect to Azure PostgreSQL with my Azure account?"
  • "Grant my Container App access to PostgreSQL without storing passwords"

Key Indicators:

  • Mentions "Entra", "Azure AD", "AAD" with PostgreSQL
  • Passwordless or identity-based database access requests
  • Managed identity + PostgreSQL configuration
  • PostgreSQL authentication failures with Azure identities
  • Questions about pgaadauth functions or security labels

Overview

Azure Database for PostgreSQL Flexible Server supports Microsoft Entra ID authentication, allowing users to connect using their Azure identities instead of passwords. This involves:

  1. Enabling Entra authentication on the PostgreSQL server
  2. Creating a PostgreSQL role mapped to an Azure identity
  3. Granting database permissions to the PostgreSQL role
  4. Connecting with an access token instead of a password

Identity Types Supported

Identity TypeUse CaseSQL Function
UserDeveloper access, interactive queriespgaadauth_create_principal
GroupTeam-based access managementpgaadauth_create_principal_with_oid
Service PrincipalApplication authenticationpgaadauth_create_principal_with_oid
Managed IdentityAzure-hosted app passwordless accesspgaadauth_create_principal_with_oid

Core Workflow

Step 1: Check Current Authentication Status

Verify if Entra authentication is enabled on the server. If empty, no Entra admin is configured yet.

Step 2: Add First Entra Administrator

Enable Entra authentication by adding the first admin using Azure CLI.

Step 3: Connect as Entra Admin

Get an access token and connect using psql with the token as password.

Step 4: Create PostgreSQL Roles for Identities

Once connected as admin, create roles for other identities using SQL functions.

Step 5: Grant Database Permissions

Grant appropriate permissions to the new roles using GRANT statements.

See: scripts/az-commands.sh for Azure CLI commands, references/SQL-FUNCTIONS.md for SQL functions, and references/PERMISSION-TEMPLATES.md for permission grants.

Setup Patterns

Pattern 1: Developer User Access

Set up a developer to access the database with their Azure identity.

Required Information:

  • Developer's UPN (e.g., developer@company.com)
  • Target database name
  • Permission level (read-only, read-write, admin)

Script: See scripts/setup-user.sh


Pattern 2: Managed Identity for Applications

Configure passwordless database access for Azure-hosted applications (Container Apps, App Service, Functions).

Required Information:

  • Managed identity name and resource group
  • Target database name
  • Permission level needed

Steps:

  1. Get managed identity object ID
  2. Create PostgreSQL role using pgaadauth_create_principal_with_oid
  3. Grant permissions
  4. Configure application to use Azure Identity SDK

Script: See scripts/setup-managed-identity.sh


Pattern 3: Group-Based Access Control

Manage database permissions through Azure AD groups.

Required Information:

  • Group display name and object ID
  • Whether to enable group sync (pgaadauth.enable_group_sync)
  • Permission level for the group

Group Sync Modes:

ModeBehaviorUse Case
OFF (default)Members use group name as usernameSimple setup, no individual tracking
ONIndividual member roles auto-createdAudit trails, per-user permissions

Script: See scripts/setup-group.sh


Pattern 4: Troubleshooting Connection Failures

Diagnose and fix Entra authentication issues.

Common Errors:

  • role "user@domain.com" does not exist - Role not created in database
  • password authentication failed - Token expired or invalid
  • FATAL: password authentication failed - Wrong username format
  • could not connect to server - Network/firewall issues

Diagnostic Steps: See references/TROUBLESHOOTING.md


Pattern 5: Migration from Password Auth

Transition existing password-based roles to Entra ID authentication.

Steps:

  1. Enable "PostgreSQL and Microsoft Entra authentication" mode (parallel auth)
  2. Map existing roles to Entra identities using SECURITY LABEL
  3. Test Entra authentication for each migrated role
  4. Disable passwords: ALTER ROLE "username" PASSWORD NULL
  5. Switch to "Microsoft Entra authentication only" mode

Script: See scripts/migrate-to-entra.sh

MCP Tools Used

ToolPurpose
postgres_server_listList PostgreSQL servers in subscription
postgres_database_listList databases on a server
postgres_database_queryExecute SQL (role creation, permissions)
postgres_server_param_getGet server parameter (e.g., group sync)
postgres_server_param_setSet server parameter

Security Best Practices

PracticeRecommendation
Least PrivilegeGrant minimum required permissions; avoid admin roles for apps
Use GroupsManage access via Entra groups for easier administration
Managed IdentityAlways use managed identity for Azure-hosted apps
MFA for AdminsSet isMfa=true for admin roles if tenant supports optional MFA
Token HandlingNever store tokens; acquire fresh before each connection
Audit AccessUse pgaadauth_list_principals to review who has access
Private EndpointUse private endpoint for production; configure NSG for AzureActiveDirectory tag

Common Issues

IssueCauseSolution
role does not existRole not created in databaseRun pgaadauth_create_principal or pgaadauth_create_principal_with_oid
password authentication failedToken expired (5-60 min validity)Get fresh token with az account get-access-token
permission deniedRole exists but lacks permissionsRun GRANT statements for required access
Username case mismatchEntra names are case-sensitiveUse exact case from Azure AD
Network timeoutPrivate endpoint missing NSG ruleAdd outbound rule for AzureActiveDirectory service tag
Guest user login failsUsing wrong UPN formatUse full UPN with #EXT# tag

References