Get token for Synapse Serverless SQL pool

ssisjoost · ‎Dec 20 2023

I want to get a token from the Synapse Serverless SQL pool, but it is unknown which resource (/audience) to use for verifying.

$token= & az account get-access-token --resource=https://sql.azuresynapse.net --query accessToken

I tried:

https://sql.azuresynapse.net
No error AADSTS500011
https://dev.azuresynapse.net
No error AADSTS500011
https://database.windows.net
No error AADSTS500011
https://management.azure.com
No error AADSTS500011
https://azuresynapse.net
ERROR: AADSTS500011: The resource principal named https://azuresynapse.net
was not found in the tenant named xxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
https://xxxxx-ondemand.sql.azuresynapse.net
ERROR: AADSTS500011: The resource principal named https://xxxxx-ondemand.sql.azuresynapse.net was not found in the tenant named xxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

So last two give an AADSTS500011 error when creating the token and also an error when using the token in a SQL connection: A connection was successfully established with the server, but then an error occurred during the login process. An existing connection was forcibly closed by the remote host.
The first couple of items don't give a token error, but will give an error when using the token in a SQL connection: Login failed for user '<token-identified principal>. So probably a correct resource, but just not for the Synapse Serverless SQL pool (or the rest of the PowerShell code is incorrect).

YAML CODE

The Service Principal used in the Azure Service Connection created the Synapse workspace (bicep) and is Synapse Administrator within Synapse (and even an owner on the entire Subscription)

- task: AzureCLI@2
  displayName: 'Create datamart DB in serverless sql pool'
  inputs:
	azureSubscription: '${{ parameters.ServiceConnection }}'
	scriptType: ps
	scriptLocation: 'scriptPath'
	scriptPath:  $(System.DefaultWorkingDirectory)\CICD\PowerShell\Serverless.ps1
	arguments: > # Use this to avoid newline characters in multiline string
	  -SqlServerName "xxxxx-ondemand"
	  -SqlDatabaseName "datamart"

PowerShell code
The Powershell code should eventually create a new database within the Synapse Serverless SQL pool, but if always errors when opening the connection.

Param(
   [Parameter(Mandatory=$true,
   HelpMessage="Name of your serverless sql pool without .sql.azuresynapse.net.")]
   [ValidateNotNullOrEmpty()]
   [string]
   $SqlServerName,
 
   [Parameter(Mandatory=$true,
   HelpMessage="Name of the database you want to create")]
   [ValidateNotNullOrEmpty()]
   [string]
   $SqlDatabaseName
)

# Get token with DevOps Service Connection / Service Principal
$myToken = & az account get-access-token --resource=https://database.windows.net --query accessToken
 
# Variables for script 
$sqlServerFQN = "$($SqlServerName).sql.azuresynapse.net"; 
$sqlDatabaseName = "$($SqlDatabaseName)"; #datamart
 
# Create connection to MASTER database from my Synapse Serverless SQL pool 
$conn = new-object System.Data.SqlClient.SqlConnection; $conn.ConnectionString = "Server=tcp:$($sqlServerFQN),1433;Initial Catalog=master;Persist Security Info=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"; 

# Add token to connection
$conn.AccessToken = $myToken
 
# Open connection
$conn.Open();

# ERROR 1 => Login failed for user '<token-identified principal>' (When no token error AADSTS500011 occurs)
# ERROR 2 => A connection was successfully established with the server, but then an error occurred during the login process. An existing connection was forcibly closed by the remote host. (When token error AADSTS500011 occurs)
 
# Execute SQL command (not getting here yet) 
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand;
$SqlCmd.CommandText = "IF NOT EXISTS(SELECT * FROM sys.databases WHERE name = '$(SqlDatabaseName)') BEGIN CREATE DATABASE [$(SqlDatabaseName)] END";
$SqlCmd.Connection = $conn;
$SqlCmd.ExecuteNonQuery();

# Close connection
$conn.Close();

Any suggestions on the resource (or the PowerShell code)?

_MartinB · ‎Dec 29 2023

@ssisjoost
for me the following works:

$accessToken = (Get-AzAccessToken -ResourceUrl "https://database.windows.net").Token
$server = "$($synapseWorkspaceName)-ondemand.sql.azuresynapse.net"
$database = "master"

$ResponeCheckDbType = Invoke-Sqlcmd -ServerInstance $server -Database $database -AccessToken $accessToken -Query "SELECT 1 AS some"
Write-Verbose $ResponeCheckDbType.some

Get-AzAccessToken:
https://learn.microsoft.com/en-us/powershell/module/az.accounts/get-azaccesstoken?view=azps-11.1.0
Invoke-Sqlcmd:
https://learn.microsoft.com/de-de/powershell/module/sqlserver/invoke-sqlcmd?view=sqlserver-ps

Make sure that the user / service principal executing the script has required Server / Database roles assigned.

VincentS123 · ‎Jan 23 2024

@ssisjoostNevermind. Changing the database to 'master' made everything work. Even when I query other databases later. Thanks!

Get token for Synapse Serverless SQL pool

Get token for Synapse Serverless SQL pool

Re: Get token for Synapse Serverless SQL pool

Re: Get token for Synapse Serverless SQL pool

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Get token for Synapse Serverless SQL pool