Azure AAD Identity Prisma Client
Hello, good morning. I have a question related to Azure AAD connection + Prisma Client. There is a way in Azure to create a identity provider for an app conected to Azure Postgres to avoid connections with plain password for security. With @azure/identity library the password is taken in runtime. I wanted to know if there is an already done solution for this or a good way/practice to do it. Thanks!
3 Replies
You opted for speed from this bot. Let's conjure up an answer right now!
Currently, Prisma does not natively support Azure Active Directory (AAD) token-based authentication (Managed Identity or AAD access tokens) for Azure PostgreSQL or SQL Server. This is a frequently requested feature, especially for environments where passwordless authentication is required for compliance and security reasons.
Workarounds:
- For Azure SQL Server, some users have tried to use connection strings with AAD authentication parameters, but Prisma’s engine does not support these and returns errors. The underlying drivers (like Tiberius for SQL Server) have had some work done to support AAD, but this is not yet exposed in Prisma itself, and there is no official ETA for support. Community workarounds involve using other libraries (like
There is currently no official or robust way to use Azure AAD/Managed Identity authentication with Prisma Client for Azure PostgreSQL. The best practice for now is to securely manage credentials via a vault and inject them at runtime, but this does not eliminate passwords. Keep an eye on the related GitHub issues for updates, as this is a highly requested feature. 🤔 Alright, thanks for letting us know that there's still some help needed. A team member will reply to you shortly. In the meantime, please let us know any additional info, questions, or which parts of the answer may need clarification.
tedious or mssql) directly, but this does not integrate with Prisma Client’s features or migrations, and is only viable for runtime queries, not schema management or migrations Support Azure Managed Identities via SQL Server connection string.
- For Azure PostgreSQL, there is no official support for using AAD tokens either. Some users have tried to update the DATABASE_URL environment variable with a fresh token and restart the Prisma Client, but this is cumbersome and not a robust solution, especially since tokens expire frequently Prisma with Azure PostgreSQL/AD connection.
- A common workaround is to fetch the connection string or password from a secure vault (like Azure Key Vault) at runtime and inject it into the Prisma Client. However, this still relies on username/password authentication, not true AAD token-based auth Support for AWS Secrets Manager or Azure KeyVault in schema.prisma.
Summary:There is currently no official or robust way to use Azure AAD/Managed Identity authentication with Prisma Client for Azure PostgreSQL. The best practice for now is to securely manage credentials via a vault and inject them at runtime, but this does not eliminate passwords. Keep an eye on the related GitHub issues for updates, as this is a highly requested feature. 🤔 Alright, thanks for letting us know that there's still some help needed. A team member will reply to you shortly. In the meantime, please let us know any additional info, questions, or which parts of the answer may need clarification.
As the bot suggested this is not possible natively at the moment
Hey, thank you very much for the answer. Do you think i can achieve something similar with client extensions? I made it work for the first password (generate in runtime using pg + prisma pg adapter), but know im having issues when it expires and I need to refresh the password in runtime