SqlAlchemy 通过令牌身份验证连接到 Azure Postgresql 灵活数据库

您可以按照以下过程使用访问令牌身份验证连接到 Azure Database for PostgreSQL 服务器：

使用以下代码获取用于身份验证的访问令牌：

import msal

# Define Azure AD settings
client_id = "<clientId>"
client_secret = "<clientSecret>"
tenant_id = "<tenantId>"
scope = ["https://graph.microsoft.com/.default"]
authority = f"https://login.microsoftonline.com/{tenant_id}"

app = msal.ConfidentialClientApplication(
    client_id=client_id,
    client_credential=client_secret,
    authority=authority
)

result = None
try:
    result = app.acquire_token_silent(scope, account=None)
    if not result:
        result = app.acquire_token_for_client(scopes=scope)
except Exception as ex:
    print(f"An error occurred: {str(ex)}")

if "access_token" in result:
    access_token = result["access_token"]
    print(access_token)
else:
    print(f"Token acquisition failed: {result.get('error')}")

使用下面的代码通过 SQLAlchemy 连接到 Azure Database for PostgreSQL 服务器：

from sqlalchemy import create_engine, text
import urllib.parse

# Replace these placeholders with your PostgreSQL server details
username = "<activeDirectoryName>"
hostname = "<serverName>.postgres.database.azure.com"
port = "<port>"
database_name = "<databaseName>"

# Properly percent-encode the password
password_encoded = urllib.parse.quote_plus(access_token)

# Create the database URL
db_url = f"postgresql://{username}:{password_encoded}@{hostname}:{port}/{database_name}"

engine = create_engine(db_url)

with engine.connect() as connection:
    query = text("SELECT usename AS role_name FROM pg_catalog.pg_user ORDER BY role_name desc;")
    result = connection.execute(query)

    for row in result:
        print(row)

以下是完整代码：

import msal
from sqlalchemy import create_engine, text
import urllib.parse

# Define Azure AD settings
client_id = "<clientId>"
client_secret = "<clientSecret>"
tenant_id = "<tenantId>"
scope = ["https://graph.microsoft.com/.default"]
authority = f"https://login.microsoftonline.com/{tenant_id}"

app = msal.ConfidentialClientApplication(
    client_id=client_id,
    client_credential=client_secret,
    authority=authority
)

result = None
try:
    result = app.acquire_token_silent(scope, account=None)
    if not result:
        result = app.acquire_token_for_client(scopes=scope)
except Exception as ex:
    print(f"An error occurred: {str(ex)}")

if "access_token" in result:
    access_token = result["access_token"]
else:
    print(f"Token acquisition failed: {result.get('error')}")

# Replace these placeholders with your PostgreSQL server details
username = "<activeDirectoryAdmin>"
hostname = "<serverName>.postgres.database.azure.com"
port = "<port>"
database_name = "<database>"

# Properly percent-encode the password
password_encoded = urllib.parse.quote_plus(access_token)

# Create the database URL
db_url = f"postgresql://{username}:{password_encoded}@{hostname}:{port}/{database_name}"

engine = create_engine(db_url)

with engine.connect() as connection:
    query = text("SELECT usename AS role_name FROM pg_catalog.pg_user ORDER BY role_name desc;")
    result = connection.execute(query)

    for row in result:
        print(row)

您将得到如下输出：

最好的方法是使用

do_connect

假设您已经定义了一个函数来检索 AD 令牌：

get_authentication_token

from sqlalchemy import event

user=<MS Entra principal>
host=<hostname>.postgres.database.azure.com
port=<port>
dbname=<dbname>

engine = create_engine(f"postgresql+psycopg2://{user}@{host}:{port}/{dbname}")

@event.listens_for(engine, "do_connect")
def provide_token(dialect, conn_rec, cargs, cparams):
  cparams["password"] = get_authentication_token()