Create a database administrator account

In Lab 2, you set up a user-assigned managed identity to allow your Azure Container Apps environment to connect to Azure Container Registry. In this lab, you’re going to use that same identity to allow your applications to connect to your database via a passwordless method. This allows you to improve your app’s security by removing secrets like your username and password from the config repository, without needing to make any changes to your application code.

For more detailed information about creating passwordless connections between Azure Spring Apps and Azure Database for MySQL, refer to this guidance: Use Spring Data JDBC with Azure Database for MySQL.

Your first step in updating to a passwordless connection is to grant your previously created managed identity access to your database. To configure this, you’ll need to make your currently signed-in user account a database administrator. For this to work on the MySQL database, you’ll create an additional admin managed identity.

Step-by-step guidance

1. Create the new managed identity that you’ll use as the database admin:

   DB_ADMIN_IDENTITY_NAME=uid-dbadmin-$APPNAME-$UNIQUEID
   
   ADMIN_IDENTITY_RESOURCE_ID=$(az identity create \
       --name $DB_ADMIN_IDENTITY_NAME \
       --resource-group $RESOURCE_GROUP \
       --query id \
       --output tsv)
   

2. Assign the new identity to your MySQL Server:

   az mysql flexible-server identity assign \
       --resource-group $RESOURCE_GROUP \
       --server-name $MYSQL_SERVER_NAME \
       --identity $DB_ADMIN_IDENTITY_NAME
   

3. Create a database administrator based on your currently signed-in user account:

   az mysql flexible-server ad-admin create \
       --resource-group $RESOURCE_GROUP \
       --server-name $MYSQL_SERVER_NAME \
       --object-id $AAD_USER_ID \
       --display-name $USER_NAME \
       --identity $DB_ADMIN_IDENTITY_NAME