Currently, FME Flow supports database connections via JDBC, but authentication typically relies on static credentials such as username and password. In modern cloud environments like Azure, using Managed Identity is a best practice for secure, secretless authentication.
This idea proposes adding support for Azure Managed Identity including System Assigned and User Assigned identities for JDBC connections to databases such as Azure SQL Database, Azure Synapse, and other services that support token-based authentication.
Why is this important?
- Eliminate hardcoded credentials: Reduces security risks and simplifies credential management.
- Cloud-native security: Aligns with Azure best practices and enterprise compliance requirements.
- Automatic token refresh: Improves reliability and reduces operational overhead.
- Flexibility: Support for both System Assigned and User Assigned identities allows organizations to choose the right approach for their architecture.
How it could work:
- FME Flow detects it is running in Azure and uses the assigned Managed Identity.
- When establishing a JDBC connection, FME Flow retrieves an OAuth 2.0 access token from the Azure Instance Metadata Service (IMDS).
- The token is injected into the JDBC connection string or passed as a driver property (depending on the database/JDBC driver).
- Configuration options in FME Flow to select:
- Authentication mode: Managed Identity
- Identity type: System Assigned or specify a User Assigned identity (via client ID)
Use Case Example: An organization runs FME Flow on an Azure VM with a User Assigned Managed Identity that has access to multiple Azure SQL Databases. Instead of storing credentials in FME Flow, the system automatically retrieves tokens for secure, passwordless connections.
Security Necessity
Storing static credentials in FME Flow or any application introduces significant risks:
- Credentials can be leaked through logs, backups, or misconfigurations.
- Manual rotation of passwords is error-prone and often neglected.
- Compliance frameworks (ISO, SOC, GDPR) increasingly require secretless authentication methods.
By leveraging Azure Managed Identity, FME Flow can achieve zero-secret architecture, reducing attack surfaces and aligning with modern security standards.