Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) have introduced passwordless authentication mechanisms where resources such as virtual machines (VMs) can be assigned an identity (Azure), a service account (GCP), or a role (AWS) that can be used to authenticate to other resources such as database server instances.
Octopus Deploy has several built-in steps that support authenticating to resources using this method, however, database deployments are almost entirely done using community step templates.
The Octopus community has been hard at work updating templates to support cloud-native authentication.
In this post, I list templates updated with cloud provider authentication functionality.
Database technologies that support cloud-native authentication methods
Only some database technologies offered by cloud providers support cloud-native authentication. Below, I list by provider which technologies are supported:
- Amazon Aurora
- Azure Cosmos DB
- Microsoft SQL Server
Both GCP and AWS support Windows Authentication for Microsoft SQL Server, however, the server must connect to an Active Directory domain on the cloud provider.
Amazon Aurora and Azure Cosmos haven't been tested with the templates listed in this post.
Step templates with cloud authentication support
The following community step templates have been updated to support using cloud-native database authentication:
- Flyway Database Migrations
- Liquibase Run Command
- MariaDB - Add Database User To Role
- MariaDB - Create Database If Not Exists
- MariaDB - Create User If Not Exists
- MySQL - Add Database User To Role
- MySQL - Create Database If Not Exists
- MySQL - Create User If Not Exists
- Postgres - Add Database User To Role
- Postgres - Create Database If Not Exists
- Postgres - Execute SQL
- Postgres - Create User If Not Exists
- SQL - Deploy DACPAC with AAD Auth support
With the exception of SQL - Deploy DACPAC with AAD Auth support, the templates above work on Windows (PowerShell, PowerShell Core) and Linux (PowerShell Core) and have been updated with an Authentication Method selector that supports the following types:
- AWS EC2 IAM Role
- Azure Managed Identity
- GCP Service Account
- Windows Authentication
Flyway Database Migrations is only compatible with PowerShell Core.
SQL - Deploy DACPAC with AAD Auth support
Cloud-native authentication using the SQL - Deploy DACPAC with AAD Auth support template is limited to the Azure cloud provider and supports the following methods:
- Azure Active Directory Integrated
- Azure Active Directory Managed Identity
- Azure Active Directory Username/Password
- SQL Authentication
- Windows Integrated
SQL - Deploy DACPAC with AAD Auth support is written in PowerShell and makes use of .NET standard DLL files that are part of the SQL Server installation or SQL Server PowerShell module. Because of this, it doesn't work on the Linux operating system.
The Octopus community recognizes the advantages of using authentication mechanisms offered by cloud providers.
In this post, I listed templates that have been updated with cloud provider authentication functionality.
Our Samples instance has updated examples that use cloud-native authentication:
- MySQL using Azure Managed Identity and Flyway
- MySQL using Azure Managed Identity and Liquibase
- MySQL using Google Cloud Service Account and Flyway
- MySQL using Google Cloud Service Account and Liquibase
- PostgreSQL using Azure Managed Identity and Flyway
- PostgreSQL using Azure Managed Identity and Liquibase
- PostgreSQL using Google Cloud Service Account and Flyway
- PostgreSQL using Google Cloud Service Account and Liquibase