Connect EJBCA to a database using cloud provider identities

This guide explains how to configure the Helm chart to connect EJBCA to external databases using cloud provider identities. Identity-based access enables passwordless connections to the database.

Use Azure SQL with AKS Workload Identity

When deploying EJBCA to an Azure Kubernetes Service (AKS) cluster, you can use a managed identity to authenticate with an Azure SQL database.

Prerequisites

Before you begin, you need:

• An AKS cluster with managed identities (workload identity) enabled

• A managed identity

• An Azure SQL database

For guidance on setting up the prerequisites, refer to Microsoft's documentation on:

• Deploying and configuring workload identity on an Azure Kubernetes Service (AKS) cluster

• Creating an Azure SQL Database

Create a database for EJBCA

1. Connect to Azure SQL using your admin user and create a database for EJBCA:

   SQL

   CREATE DATABASE ejbca COLLATE Latin1_General_100_CI_AI_SC_UTF8;

2. Connect to the ejbca database and create a SQL user from the managed identity:

   SQL

   CREATE USER [<managed-identity-name>] FROM EXTERNAL PROVIDER;

3. Grant the managed identity user the necessary permissions to create and read objects in the EJBCA database:

   SQL

   ALTER ROLE db_ddladmin ADD MEMBER [<managed-identity-name>];
   ALTER ROLE db_datareader ADD MEMBER [<managed-identity-name>];
   ALTER ROLE db_datawriter ADD MEMBER [<managed-identity-name>];
   GRANT VIEW DATABASE STATE TO [<managed-identity-name>];
   
   -- alternatively grant the 'db_owner' role that can perform 
   -- all configuration and maintenance activities in the database
   -- ALTER ROLE db_owner ADD MEMBER [<managed-identity-name>];

Configure the Helm Chart

Adjust your Helm deployment parameters to enable EJBCA to use the managed identity when connecting to Azure SQL:

ejbca:
  env:
    APPSERVER_USE_MANAGED_ID: "true"
    DATABASE_JDBC_URL: "jdbc:sqlserver://<database-host>.database.windows.net:1433;DatabaseName=ejbca;encrypt=true;trustServerCertificate=true;hostNameInCertificate=*.database.windows.net;authentication=ActiveDirectoryDefault;"

serviceAccount:
  annotations:
    "azure.workload.identity/client-id": "<client-id>"
    "azure.workload.identity/tenant-id": "<tenant-id>"

podLabels:
  azure.workload.identity/use: "true"

Replace the following placeholder variables in the example above with values appropriate for your environment:

• <database-host> - Azure SQL server name.

• <client-id> - Client ID of the managed identity (or Microsoft Entra application)

• <tenant-id> - Azure tenant ID.

Once applied, the EJBCA deployment will authenticate to Azure SQL using the assigned managed identity, eliminating the need for static credentials.