Skip to content

Support Microsoft Entra ID auth for Fabric connections#7

Merged
turtleDev merged 1 commit into
mainfrom
mssql-service-principal-auth
Jul 9, 2026
Merged

Support Microsoft Entra ID auth for Fabric connections#7
turtleDev merged 1 commit into
mainfrom
mssql-service-principal-auth

Conversation

@turtleDev

Copy link
Copy Markdown
Contributor

Problem

fabric connections were mapped directly to the MSSQL client factory, which unconditionally reads raw["username"] and raw["password"]. Bruin's Fabric connection supports three auth modes, and two of them carry no username:

  • use_azure_default_credential: true (DefaultAzureCredential chain)
  • client_id + client_secret + tenant_id (Entra ID service principal)
  • username + password (SQL authentication)

Anyone on a service principal — the standard setup for Fabric — hit KeyError: 'username' as soon as the client was created.

Changes

Fabric gets its own factory. pymssql has no way to present a Microsoft Entra ID access token, so the two Entra ID modes acquire a token through azure-identity and pass it to pyodbc via the msodbcsql SQL_COPT_SS_ACCESS_TOKEN pre-connect attribute. SQL authentication continues to use the existing pymssql path, so nothing changes for connections that already worked.

  • The ODBC driver defaults to the newest installed ODBC Driver NN for SQL Server, and can be pinned via a driver field on the connection.
  • A connection with none of the three credential sets now raises ConnectionParseError naming the fields it expects, rather than a bare KeyError.
  • bruin-sdk[fabric] now pulls in pyodbc and azure-identity.
  • Boolean connection fields that arrive as JSON strings ("true") are handled by a shared _as_bool helper, which the GCP ADC check now reuses.

Notes

The Entra ID modes need an ODBC Driver for SQL Server (msodbcsql18 or newer) on the machine running the asset; the README documents this alongside the auth matrix.

Fabric connections were routed straight to the MSSQL factory, which
indexes raw["username"] and raw["password"] unconditionally. Bruin's
Fabric connection also accepts a service principal (client_id,
client_secret, tenant_id) or the DefaultAzureCredential chain, and
those payloads carry no username, so building the client raised
KeyError: 'username'.

pymssql cannot carry a Microsoft Entra ID access token, so give Fabric
its own factory: the two Entra ID modes acquire a token via
azure-identity and hand it to pyodbc through the msodbcsql
SQL_COPT_SS_ACCESS_TOKEN pre-connect attribute, while SQL
authentication keeps using the shared pymssql path.

The ODBC driver defaults to the newest installed
"ODBC Driver NN for SQL Server" and can be pinned with a driver field
on the connection. A payload with none of the three credential sets now
raises ConnectionParseError naming the fields it expects.
@turtleDev turtleDev merged commit 58937fc into main Jul 9, 2026
4 checks passed
@turtleDev turtleDev deleted the mssql-service-principal-auth branch July 9, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants