Using Liquibase with PostgresDB and Managed Identities

General Discussion
1

Hello!

We started using liquibase in our development process. There we are using docker compose and the liquibase docker image to run updates. This works like a charm.

But. Setting this up in Azure with Postgresql, Container App Jobs and trying to utilize Azure managed identities has become a challenge.

My current approach.

  1. Create the Postgresql flexible server
  2. Create the Container App Job (CAJ)
  3. Setup managed identities between the postgres server and CAJ
  4. Manually setup the CAJ user in the postgres server
  5. Use the Liquibase docker image as a base and add my own changelogs it, add a few command parameters and push to an Azure Container Registry. Here is the Dockerfile I use to build
# Use the latest Liquibase Docker image
FROM liquibase/liquibase:latest

# Copy your changelogs folder into the image
COPY ./[redacted]/liquibase/changelog /liquibase/changelog

# Set the working directory to the Liquibase directory in the image
WORKDIR /liquibase

# Set up environment variables for Liquibase (excluding username and password)
ENV LIQUIBASE_COMMAND_URL=jdbc:postgresql://[redacted]/[redacted]?sslmode=require&authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin
ENV LIQUIBASE_COMMAND_USERNAME=[redacted]
ENV LIQUIBASE_COMMAND_CHANGELOG_FILE=changelog/Main.yml

# Run the custom script on container startup
CMD ["update"]

The plugin I try to use is referenced here in a learn article from microsoft that you can find by googling azure passwordless connection postgresql.
6. Run the CAJ

This report this error
Liquibase Version: 4.24.0
Unexpected error running Liquibase: Connection could not be created to jdbc:postgresql://[redacted]/[redacted]?sslmode=require&authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin with driver org.postgresql.Driver. Unable to load Authentication Plugin com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin
For more information, please use the --log-level flag

Is my approach incorrect?
How have people integrated liquibase into your workflow?
How can I solve the error?
Should I just swallow that the CAJ will need to access a secret and do standard User/Password authentication for the job?

Best regards,
Staffan

2

I found a solution!

Install the Azure CLI in the image and then run a bash script with the CMD line.

Note: This requires that you have setup system assigned identities for the CAJ and manually added the user and privileges correctly.
Google microsoft entra users for postgresql to see how.

Since a picture says more than a thousand words and it is often the same with code here is an example bash script.

# Get access token and username
az login --identity
token=$(az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv)
username=$(az ad signed-in-user show --query userPrincipalName --output tsv)

# Example Setup your jbdc url
jdbc=jdbc:postgresql://[server]:5432/[database]

# Run liquibase with token
liquibase update --username $username --password $token --url $jdbc
3

I am generally curious to why this post was flagged as spam. Would anyone like to elaborate?

This post, especially with the solution now found is something I would have loved to find when I was beginning to set something like this up.