Forum Discussion

smbit's avatar
smbit
Copper Contributor
Feb 18, 2022

System Managed Identities Question

Hi All,

 

I have an Azure Logic App with a system managed identity enabled that requires access to 2 Azure SQL databases.

 

I was able to grant the managed identity permissions to the first SQL database with the below query:

 

CREATE USER [ActionLog] FROM EXTERNAL PROVIDER;

 

When I run the same query on the second database (different Azure SQL server and different RG), I get the following error:

 

Msg 33134, Level 16, State 1, Line 1 Principal 'ActionLog' could not be resolved. Error message: ''

 

I've logged this with Azure support, who have said it isn't possible to grant the managed identity permissions on 2 SQL databases:

 

There are a few things I would like you to be aware of concerning managed identities, especially with that of a system-assigned managed identity. When a system-assigned managed identity has been created to an Azure resource it is tied to the lifecycle of that resource. These identities can only be assigned to the Azure resource that it was originally created for. Each resource provider in Azure that uses System-assigned managed identities is responsible for the entire life cycle of that identity.

 

When a system-assigned managed identity is created to an Azure resource, it binds that resource with an Object ID which can’t be shared with another Azure resource and can only be associated with a single resource. Unlike the user-assigned managed identity that has an independent lifecycle and can be associated with more than one Azure resource. The system-assigned managed identity is created as part of the Azure resource and can only be associated with a single Azure resource.

 

My understanding is that the Azure resource in this case is the logic app, which is only a single resource. I thought maybe they misunderstood the question and thought I was trying to bind the system managed identity to 2 Azure resources, but the support engineer insists that what I'm trying to do isn't possible and I need to use a user managed identity. 

 

Am I completely misunderstanding how system managed identities work, or should I be able to grant a system managed identity permissions on 2 SQL databases?

No RepliesBe the first to reply

Resources