[Enh]: Support Entra in Local Containers with SQL_ACCESS_TOKEN #3252
Description
What
Allow Data API builder to read a development token from SQL_ACCESS_TOKEN and assign it to SqlConnection.AccessToken.
Important
This feature is explicitly scoped to development mode. Never use in production.
Why
When DAB runs in Docker, normal Entra credential chains often fail. Some SQL endpoints, such as Fabric SQL, require token authentication. This feature provides a development token override so containerized development works without changing production authentication.
How
- No change to the configuration file.
- No change to the command-line.
At connection creation:
if (development mode &&
not OBO &&
Entra authentication &&
SQL_ACCESS_TOKEN exists)
{
connection.AccessToken = SQL_ACCESS_TOKEN
connection.Pooling = false
}
Important
The env var is re-read on every connection open (never cached).
Note
In a pooled scenario, you might not see a clean error. So, we disable pooling.
Logging
When properly invoked:
[INFO] Using SQL_ACCESS_TOKEN for connection (development mode)
When prerequisites are not met:
[WARN] SQL_ACCESS_TOKEN set but requirements are not met — token ignored
Rules
- only when the connection string uses Microsoft Entra authentication:
Active Directory Default,Active Directory Managed Identity,Active Directory Workload Identityonly. - only when the
OBOflow is not being used - only when
SQL_ACCESS_TOKENexists - only when
runtime.host.mode=development - always allow the engine to start
- let the database raise connection errors if the token is invalid
- do not cache the token, re-read it every time a connection is opened