I got MySql Server on Azure and is configured with Azure Directory Admin.
Example
MySql Servername: mysqlserver and
MySql AD Admin Account: admin#organistionname.com.au (this organisation domain account)
Can see above account from MySql Server under User Accounts.
I stood-up Azure Web App for phpMyadmin and configured to pointed to above MySql db.
When an logging into phpMyAdmin with above Active Directory Admin Account is getting validated against AD, but getting error
mysqli::real_connect(): (HY000/9013): An error occurred while validating the access token. Please acquire a new token and retry.
I need to get a Ad token which need to passed to MySql server.
How to achieve this in Azure Web App?
This documentation should help you: https://learn.microsoft.com/en-gb/azure/mysql/howto-configure-sign-in-azure-ad-authentication#connecting-to-azure-database-for-mysql-using-azure-ad.
You need to acquire an access token in your code for your user against the resource: https://ossrdbms-aad.database.windows.net or against the scope (if using v2): https://ossrdbms-aad.database.windows.net/.default.
Acquiring access tokens with AAD is a whole another topic and the exact way depends on your app.
This answer might help for that: https://stackoverflow.com/a/33512913/1658906
I have the same set up (except phpmyadmin running in a container in AKS).
I believe phpmyadmin can't connect to mysql with azure ad enabled (at least with an AD user/group) because the token (password) is required to be sent in cleartext, and phpmyadmin hashes it before sending it.
I think that's why I get the An error occurred while validating the access token. Please acquire a new token and retry. error.
That's also why in the docs, they set the --enable-cleartext-plugin flag on their example mysql cli commands.
Also in the docs, they state that it's only tested with myqsl cli and mysqladmin.
I'm currently planning on ditching phpmyadmin for azure bastion and a VM running mysqlworkbench for this reason.
Related
I have a PHP web app (Snipe-IT) that was previously working.
We went through a security review, and the recommendation was made to enable service endpoints (Microsoft.Sql) on the application subnet so that web apps connect to databases over the Azure backbone. Everything is working fine for the other MSSQL apps, except for our Snipe-IT application, which connects to a GP_Gen5_2 MySQL instance.
The error message says:
D'oh! Looks like we can't connect to your database. Please update your database settings in your .env file. Your database says:
SQLSTATE[HY000] [9009] Client connections to Basic tier servers through Virtual Network Service Endpoints are not supported. Virtual Network Service Endpoints are supported for General Purpose and Memory Optimized severs. (SQL: select 2 + 2)
This error message doesn't match the environment configuration because the database in question is a General Purpose, 2 vCore(s), 50 GB database.
There is no networking tab on the MySQL server, but in the Connection security tab we have tried enabling access to Azure resources, allowing the full public internet (0.0.0.0 - 255.255.255.255), enabling and disabling forced SSL, but nothing changes the result.
Azure won't let us create a Private Endpoint on the MySQL database because 'the subnet contains external resources'
I am hoping there is a way to resolve this without having to rebuild both the app and database in a different App Service Environment and subnet.
Thanks
I made instance in Google Cloud > Storage > SQL > MYSQL. Now I have to import database in it so I am trying to connect to MYSQL
using adminer, but it gives following error
SQLSTATE[HY000] [2002] Operation timed out
I also tried via HeidiSQL > MariaDB or MYSQL (SSL Tunnel) but here also it does not connect and gives error
https://prnt.sc/o58in0
I am mentioning
Host: Public Ip of SQL instance
Username: root
Any suggestions, what could be the fix?
Your error typically means that a firewall blocked your connection attempt.
For Cloud SQL, this typically means that you have not enabled instance-level access.
Since your error is 10060, which is a Windows WinSock error message, I am assuming that you are running on Windows. The steps are similar for Linux.
There are two methods to enable access to Cloud SQL:
Cloud SQL Proxy
This is the recommended method and is secure. Download and install the Cloud SQL Proxy to your the computer that you want to connect from. If you have set up the Cloud SDK (gcloud), Cloud SQL Proxy will use your Cloud SDK credentials. If not, then you will need to create and download a service account with (usually) the Cloud SQL Client role.
You will need the "instance connection name" from Cloud SQL Instance details page.
Download Cloud SQL Proxy (link) to your computer. Remember the full path to the program. Save the program as "cloud_sql_proxy.exe"
Start the Cloud SQL Proxy
[full_path_to_program]\cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306
OR
[full_path_to_program]\cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306 -credential_file=[PATH_TO_KEY_FILE]
Connect using mysql.exe: `mysql -u USERNAME -p --host 127.0.0.1
Public IP Method
The second method is not secure unless you also enable SSL, which I will not cover in this answer. I do not recommend this method except for knowledgeable persons.
Figure out what your public IP address is. Go to any website such as "MXToolbox" https://mxtoolbox.com/whatismyip/
Go to the Google Cloud Console
Go to the Cloud SQL Instances Details page
Select the Connections tab
Click Add network
In the Network field, enter your Public IP address using CIDR notice: eg 145.11.22.33/32
Enter a name such as "My Home IP"
Click Done
Click Save
Note: Most home Internet services change your Public IP address periodically. This means that you will need to update your Public IP address in Cloud SQL if you are using the second method.
I have a web app in azure, of the MySQL in app type, it is a server with an instance of MySQL but the problem is that I can only manage the DB with PHPMyAdmin and I prefer to use the shell, so my question would be where can I verify the host, the user and the password that I must use to access from a console remotely?
According to this original App Service announcement for in-app MySql in 2016:
MySQL database cannot be accessed remotely. You can only access your
database content using PHPMyadmin or using MySQL utilities in KUDU
debug console.
And also
The database is protected by our sandbox environment and hence cannot
be accessed remotely through MySQL workbench or MySQL command line
tools (running on remote machine).
It would appear that this limitation is still in place.
For anyone who stumbled on this, to access the DB using PHP, use
https://name-of-your-site.scm.azurewebsites.net/phpmyadmin/index.php
Took me a while to find it,
You should get all these information looking in your Azure Portal, the "SQL Databases".
In the Overview menu, you'll get a Connection strings link with all the information you need.
Edit: and then you will be able to use this Connection Strings inside your application.
I am trying to setup database secrets through Hashicorp vault for MySQL Database. I've followed the instructions provided in the documents (https://www.vaultproject.io/docs/secrets/databases/index.html) for the configuration of database and role.
However when I try to generate the credential I am facing an error - 403 Permission Denied.
The logs on the server do not show any errors as well.
I am running the server on the Dev mode as I am trying to implement a prototype.
Is there some specific permissions that I need to setup and have missed?
Appreciate any help or feedback.
Thanks,
Aravind
I realised that the problem was due to a mismatch on the config of the database and the roles.
The role I was trying to get the credential for was not in the allowed roles for the database.
Thanks,
Aravind
I have been trying to log in Cosmos-GUI to start developing my FIWARE application, but after I log in with my FILAB user/password I get "Error:Invalid IdM User"
I saw a similar question, and they said that it was caused by a migration of the server and that now it is solved, but I still have the problem (Invalid Idm User when trying to Connect to Cosmos Gui).
Fixed by private email. Nevertheless, putting here the identifed problem for future reference to other potential users: if the FIWARE LAB password contains non alphanumeric characters then the Cosmos portal fails on creating the account. Currently reasearching why.