fix: Code changes to Connect to SQL with Managed Identity using pyodbc

Prajwal-Microsoft · Prajwal-Microsoft · commit 5df6e0290b01 · 2025-01-31T23:34:08.000+05:30
diff --git a/AzureFunctions/km-charts-function/Dockerfile b/AzureFunctions/km-charts-function/Dockerfile
@@ -2,6 +2,10 @@
 # FROM mcr.microsoft.com/azure-functions/python:4-python3.11-appservice
 FROM mcr.microsoft.com/azure-functions/python:4-python3.11
 
+# Install Microsoft ODBC Driver
+RUN apt-get update && \
+    ACCEPT_EULA=Y apt-get install -y msodbcsql17
+    
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
diff --git a/AzureFunctions/km-charts-function/function_app.py b/AzureFunctions/km-charts-function/function_app.py
@@ -1,15 +1,60 @@
 from datetime import datetime
 import azure.functions as func
+from azure.identity import DefaultAzureCredential
 import logging
 import json
 import os
-import pymssql
+import pyodbc
 import pandas as pd
+import struct
 # from dotenv import load_dotenv
 # load_dotenv()
 
 app = func.FunctionApp(http_auth_level=func.AuthLevel.ANONYMOUS)
 
+# get database connection
+def get_db_connection():
+    driver = "{ODBC Driver 17 for SQL Server}"
+    server = os.environ.get("SQLDB_SERVER")
+    database = os.environ.get("SQLDB_DATABASE")
+    username = os.environ.get("SQLDB_USERNAME")
+    password = os.environ.get("SQLDB_PASSWORD")
+
+    # Attempt connection using Username & Password
+    try:
+        conn = pyodbc.connect(
+            f"DRIVER={driver};SERVER={server};DATABASE={database};UID={username};PWD={password}",
+            timeout=5
+        )
+        logging.info("Connected using Username & Password")
+        return conn
+    except pyodbc.Error as e:
+        print(f"Failed with Username & Password: {str(e)}")
+
+    # If first attempt fails, try Azure Default Credential
+    try:
+        credential = DefaultAzureCredential()
+
+        token_bytes = credential.get_token(
+            "https://database.windows.net/.default"
+        ).token.encode("utf-16-LE")
+        token_struct = struct.pack(f"<I{len(token_bytes)}s", len(token_bytes), token_bytes)
+        SQL_COPT_SS_ACCESS_TOKEN = (
+            1256  # This connection option is defined by microsoft in msodbcsql.h
+        )
+
+        # Set up the connection
+        connection_string = f"DRIVER={driver};SERVER={server};DATABASE={database};"
+        conn = pyodbc.connect(
+            connection_string, attrs_before={SQL_COPT_SS_ACCESS_TOKEN: token_struct}
+        )
+
+        logging.info("Connected using Default Azure Credential")
+        return conn
+    except Exception as e:
+        logging.error(f"Failed with Default Credential: {str(e)}")
+        return None  # Return None if both attempts fail
+
 # add post methods - filters will come in the body (request.body), if body is not empty, update the where clause in the query
 @app.route(route="get_metrics", methods=["GET","POST"], auth_level=func.AuthLevel.ANONYMOUS)
 def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
@@ -19,12 +64,7 @@ def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
     if not data_type:
         data_type = 'filters'
 
-    server = os.environ.get("SQLDB_SERVER")
-    database = os.environ.get("SQLDB_DATABASE")
-    username = os.environ.get("SQLDB_USERNAME")
-    password = os.environ.get("SQLDB_PASSWORD")
-
-    conn = pymssql.connect(server, username, password, database)
+    conn = get_db_connection()
     cursor = conn.cursor()
 
     # Adjust the dates to the current date
@@ -73,8 +113,12 @@ def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
         ) t'''
 
         cursor.execute(sql_stmt)
-        rows = cursor.fetchall()
+        #rows = cursor.fetchall()
+
+        # Convert pyodbc.Row objects to tuples
+        rows = [tuple(row) for row in cursor.fetchall()]
 
+        # Define column names
         column_names = [i[0] for i in cursor.description]
         df = pd.DataFrame(rows, columns=column_names)
         df.rename(columns={'key1':'key'}, inplace=True)
@@ -167,7 +211,8 @@ def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
         #charts pt1
         cursor.execute(sql_stmt)
 
-        rows = cursor.fetchall()
+        # rows = cursor.fetchall()
+        rows = [tuple(row) for row in cursor.fetchall()]
 
         column_names = [i[0] for i in cursor.description]
         df = pd.DataFrame(rows, columns=column_names)
@@ -208,7 +253,8 @@ def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
 
         cursor.execute(sql_stmt)
 
-        rows = cursor.fetchall()
+        # rows = cursor.fetchall()
+        rows = [tuple(row) for row in cursor.fetchall()]
 
         column_names = [i[0] for i in cursor.description]
         df = pd.DataFrame(rows, columns=column_names)
@@ -286,7 +332,8 @@ def get_metrics(req: func.HttpRequest) -> func.HttpResponse:
 
         cursor.execute(sql_stmt)
 
-        rows = cursor.fetchall()
+        # rows = cursor.fetchall()
+        rows = [tuple(row) for row in cursor.fetchall()]
 
         column_names = [i[0] for i in cursor.description]
         df = pd.DataFrame(rows, columns=column_names)
diff --git a/AzureFunctions/km-charts-function/requirements.txt b/AzureFunctions/km-charts-function/requirements.txt
@@ -3,5 +3,6 @@
 # Manually managing azure-functions-worker may cause unexpected issues
 
 azure-functions
-pymssql==2.3.0
-pandas
+pandas
+pyodbc==5.2.0
+azure.identity
diff --git a/AzureFunctions/km-rag-function/Dockerfile b/AzureFunctions/km-rag-function/Dockerfile
@@ -2,6 +2,10 @@
 # FROM mcr.microsoft.com/azure-functions/python:4-python3.11-appservice
 FROM mcr.microsoft.com/azure-functions/python:4-python3.11
 
+# Install Microsoft ODBC Driver
+RUN apt-get update && \
+    ACCEPT_EULA=Y apt-get install -y msodbcsql17
+
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
diff --git a/AzureFunctions/km-rag-function/function_app.py b/AzureFunctions/km-rag-function/function_app.py
@@ -1,4 +1,6 @@
 import azure.functions as func
+from azure.identity import DefaultAzureCredential
+import logging
 import openai
 from azurefunctions.extensions.http.fastapi import Request, StreamingResponse
 import asyncio
@@ -17,7 +19,8 @@
 from semantic_kernel.functions.kernel_arguments import KernelArguments
 from semantic_kernel.functions.kernel_function_decorator import kernel_function
 from semantic_kernel.kernel import Kernel
-import pymssql
+import pyodbc
+import struct
 
 # from semantic_kernel import Kernel
 # from semantic_kernel.connectors.ai.open_ai import AzureChatCompletion
@@ -37,6 +40,49 @@
 # search_endpoint = os.environ.get("AZURE_AI_SEARCH_ENDPOINT") 
 # search_key = os.environ.get("AZURE_AI_SEARCH_API_KEY")
 
+# get database connection
+def get_db_connection():
+    driver = "{ODBC Driver 17 for SQL Server}"
+    server = os.environ.get("SQLDB_SERVER")
+    database = os.environ.get("SQLDB_DATABASE")
+    username = os.environ.get("SQLDB_USERNAME")
+    password = os.environ.get("SQLDB_PASSWORD")
+
+    # Attempt connection using Username & Password
+    try:
+        conn = pyodbc.connect(
+            f"DRIVER={driver};SERVER={server};DATABASE={database};UID={username};PWD={password}",
+            timeout=5
+        )
+        logging.info("Connected using Username & Password")
+        return conn
+    except pyodbc.Error as e:
+        print(f"Failed with Username & Password: {str(e)}")
+
+    # If first attempt fails, try Azure Default Credential
+    try:
+        credential = DefaultAzureCredential()
+
+        token_bytes = credential.get_token(
+            "https://database.windows.net/.default"
+        ).token.encode("utf-16-LE")
+        token_struct = struct.pack(f"<I{len(token_bytes)}s", len(token_bytes), token_bytes)
+        SQL_COPT_SS_ACCESS_TOKEN = (
+            1256  # This connection option is defined by microsoft in msodbcsql.h
+        )
+
+        # Set up the connection
+        connection_string = f"DRIVER={driver};SERVER={server};DATABASE={database};"
+        conn = pyodbc.connect(
+            connection_string, attrs_before={SQL_COPT_SS_ACCESS_TOKEN: token_struct}
+        )
+
+        logging.info("Connected using Default Azure Credential")
+        return conn
+    except Exception as e:
+        logging.error(f"Failed with Default Credential: {str(e)}")
+        return None  # Return None if both attempts fail
+
 class ChatWithDataPlugin:
     @kernel_function(name="Greeting", description="Respond to any greeting or general questions")
     def greeting(self, input: Annotated[str, "the question"]) -> Annotated[str, "The output is a string"]:
@@ -111,14 +157,8 @@ def get_SQL_Response(
             sql_query = completion.choices[0].message.content
             sql_query = sql_query.replace("```sql",'').replace("```",'')
             #print(sql_query)
-        
-            # connectionString = os.environ.get("SQLDB_CONNECTION_STRING")
-            server = os.environ.get("SQLDB_SERVER")
-            database = os.environ.get("SQLDB_DATABASE")
-            username = os.environ.get("SQLDB_USERNAME")
-            password = os.environ.get("SQLDB_PASSWORD")
 
-            conn = pymssql.connect(server, username, password, database)
+            conn = get_db_connection()
             # conn = pyodbc.connect(connectionString)
             cursor = conn.cursor()
             cursor.execute(sql_query)
diff --git a/AzureFunctions/km-rag-function/requirements.txt b/AzureFunctions/km-rag-function/requirements.txt
@@ -6,6 +6,7 @@ azure-functions
 azurefunctions-extensions-http-fastapi==1.0.0b1
 openai==1.57.0
 semantic_kernel==1.0.4
-pymssql==2.3.0
 azure-search-documents==11.6.0b3
+pyodbc==5.2.0
+azure.identity
 # httpx==0.27.2
diff --git a/Deployment/scripts/add_sql_users.ps1 b/Deployment/scripts/add_sql_users.ps1
@@ -0,0 +1,72 @@
+param(
+    [string] $resourceGroupName,
+    [string] $serverName,
+    [string] $databaseName,
+    [string] $chartJsFuncAppName,  # Function App Name of Chart JS
+    [string] $ragFuncAppName  # Function App Name of RAG
+)
+
+try {
+    Write-Host "Installing modules"
+    Import-Module -Name SqlServer
+
+    # Import modules
+    Import-Module SqlServer
+
+    Write-Host "Modules imported successfully."
+
+    # Authenticate using current logged in user
+    az login
+    $loggedInUser = (Get-AzADUser -SignedIn).UserPrincipalName
+
+    Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName $resourceGroupName `
+                                            -ServerName $serverName `
+                                            -DisplayName $loggedInUser
+                                            
+    Write-Host "Entra ID Admin set to: $loggedInUser"
+
+    # Define connection details
+    $connectionString = "Server=tcp:${serverName}.database.windows.net,1433;Initial Catalog=$databaseName;Authentication=Active Directory Integrated;"
+
+    Write-Host "Database Connection String: $connectionString"
+
+    # Define the T-SQL script to add a new user and grant permissions
+    $queryChartJs = @"
+IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = '${chartJsFuncAppName}')
+BEGIN
+    CREATE USER [${chartJsFuncAppName}] FROM EXTERNAL PROVIDER;
+    ALTER ROLE db_datareader ADD MEMBER [${chartJsFuncAppName}]; -- Grant SELECT on all user tables and views.
+    ALTER ROLE db_datawriter ADD MEMBER [${chartJsFuncAppName}]; -- Grant INSERT, UPDATE, and DELETE on all user tables and views.
+END
+"@
+
+# Define the T-SQL script to add a new user and grant permissions
+    $queryRag = @"
+IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = '${ragFuncAppName}')
+BEGIN
+    CREATE USER [${ragFuncAppName}] FROM EXTERNAL PROVIDER;
+    ALTER ROLE db_datareader ADD MEMBER [${ragFuncAppName}]; -- Grant SELECT on all user tables and views.
+    ALTER ROLE db_datawriter ADD MEMBER [${ragFuncAppName}]; -- Grant INSERT, UPDATE, and DELETE on all user tables and views.
+END
+"@
+
+# ALTER ROLE db_ddladmin ADD MEMBER [${principalName}]; -- Grants CREATE, ALTER, and DROP on tables, views, functions, procedures, etc.
+
+    Write-Host "Executing SQL script for Chart JS Func..."
+    Invoke-Sqlcmd -ConnectionString $connectionString -Query $queryChartJs
+    Write-Host "SQL statement executed for Chart JS."
+
+    Write-Host "Executing SQL script for RAG.."
+    Invoke-Sqlcmd -ConnectionString $connectionString -Query $queryRag
+
+    Write-Host "SQL statement executed for RAG."
+} catch {
+    # Print the detailed error message
+    Write-Host "An error occurred while querying the database:"
+    Write-Host "Error Message: $($_.Exception.Message)"
+    Write-Host "Error Type: $($_.Exception.GetType())"
+    Write-Host "Stack Trace: $($_.Exception.StackTrace)"
+    if ($_.Exception.InnerException) {
+        Write-Host "Inner Exception: $($_.Exception.InnerException.Message)"
+    }
+} 
