Home / Kong Gateway
Edit
Report

Connect a Kong Gateway Azure PostgreSQL Server using Azure Managed Identity

Uses: Kong Gateway
Related Documentation
Gateway Documentation
Minimum Version
Kong Gateway - 3.12
Incompatible with
konnect
Tags
#azure
Related Resources
Install Kong Gateway
Connect a Kong Gateway Azure PostgreSQL Server using Azure Service Principal
Kong Gateway Amazon RDS database authentication with AWS IAM

Microsoft Entra authentication (formerly Azure AD) provides a secure way to connect Kong Gateway to your Azure PostgreSQL database without storing database passwords in configuration files. This feature supports both Service Principal and Managed Identity authentication methods. This documentation provides an example about how to use Azure Managed Identity authentication to connect to Azure PostgreSQL Server.

Prerequisites

Before configuring Azure authentication in Kong Gateway, you need the following:

  • Enable Azure PostgreSQL Flexible Server by selecting PostgreSQL and Microsoft Entra authentication as your authentication method for your Azure Database for PostgreSQL flexible server instance.
  • You need a managed identity and an Azure resource that uses the managed identity for authentication. For example, you can create a user-assigned managed identity and assign it to an Azure VM. Copy and save the managed identity’s client ID. You can find the client ID on the managed identity’s detail page in the Azure Portal.
  • Create an Azure Database for PostgreSQL flexible server user for your Managed Identity. To create a PostgreSQL user for your managed identity, you’ll need to connect to the Azure PostgreSQL server as Microsoft Entra administrator. After successfully logging in to the Azure PostgreSQL server, run the following SQL command: 
    postgres=> select * from pgaadauth_create_principal('my-managed-identity', false, false);

          pgaadauth_create_principal
------------------------------------------------
Created role for "my-managed-identity"
(1 row)

    You’ll also need to prepare the correct Kong Gateway database for the Azure PostgreSQL user. For example the following command creates a kong database and assigns permissions on the public schema to the managed identity:

    postgres=> create database kong owner 'my-managed-identity' encoding 'utf-8';
CREATE DATABASE
postgres=> \c kong
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "kong" as user "XXXXX".
kong=> grant all on schema public to "my-managed-identity";
GRANT

Configuring Azure authentication in Kong Gateway

Now you can configure Azure authentication in Kong Gateway by setting configuration settings for your database.

To configure a read-write database with environment variables, use the following example:

# Basic database configuration
export KONG_DATABASE=postgres
export KONG_PG_HOST=your-server.postgres.database.azure.com
export KONG_PG_PORT=5432
export KONG_PG_DATABASE=kong
export KONG_PG_USER=my-managed-identity # needs to be the name of the managed identity

export KONG_PG_AZURE_AUTH=on
export KONG_PG_AZURE_CLIENT_ID=00000000-0000-0000-0000-000000000001 # the Client ID of the user assigned managed identity

To configure a read-only database with environment variables, use the following example:

# Read-only database configuration
export KONG_PG_RO_HOST=your-ro-server.postgres.database.azure.com
export KONG_PG_RO_PORT=5432
export KONG_PG_RO_DATABASE=kong
export KONG_PG_RO_USER=my-managed-identity # needs to be the name of the managed identity

export KONG_PG_RO_AZURE_AUTH=on
export KONG_PG_RO_AZURE_CLIENT_ID=00000000-0000-0000-0000-000000000001 # the Client ID of the user assigned managed identity

Azure PostgreSQL Server configuration parameters

The following table describes the different configuration parameters you can set when configuring Azure Service Principal authentication to connect to the Azure PostgreSQL Server:

Parameter Description
pg_azure_auth Default: off

Determines whether Azure authentication will be used for PostgreSQL connections. When switched to on, the username defined in pg_user will be used as the database account, and the database connection will be forced to use TLS. pg_password will not be used when this switch is on.
pg_azure_client_id

The Azure client ID for authentication. For Managed Identity: the client ID of the user-assigned managed identity. For Service Principal: the application (client) ID of the service principal.
pg_azure_client_secret

The Azure client secret for authentication. Required for Service Principal authentication. Not needed for Managed Identity.
pg_azure_tenant_id

The Azure tenant ID for Service Principal authentication. This is only required when using Service Principal authentication (not needed for Managed Identity). If not specified, Managed Identity authentication will be attempted.
pg_ro_azure_auth Default:

Same as pg_azure_auth, but for the read-only connection.
pg_ro_azure_client_id Default:

Same as pg_azure_client_id, but for the read-only connection.
pg_ro_azure_client_secret Default:

Same as pg_azure_client_secret, but for the read-only connection.
pg_ro_azure_tenant_id Default:

Same as pg_azure_tenant_id, but for the read-only connection.

FAQs

How do I fix the failed to initialize Azure client: no authentication mechanism worked for azure error?

Try running the Kong Gateway command with the --vv parameter to show the debug log. You’ll see the reason why the Azure authentication failed. For example the following log shows an error when authenticating with Managed Identity:

2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] init.lua:32: auth(): could not authenticate to azure with ClientCredentials class, error: Couldn't find AZURE_CLIENT_SECRET env variable
2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] init.lua:32: auth(): could not authenticate to azure with WorkloadIdentityCredentials class, error: Couldn't find AZURE_FEDERATED_TOKEN_FILE env variable
2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] ManagedIdentityCredentials.lua:217: configureIMDSCredentialRequest(): use managed identity in IMDS
2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] ManagedIdentityCredentials.lua:150: try to use managed identity client_id XXXXXXXX
2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] http_connect.lua:253: connect(): poolname: http:169.254.169.254:80:nil::nil:::
2025/08/20 06:55:13 [debug] 68220#0: *2 [lua] init.lua:32: auth(): could not authenticate to azure with ManagedIdentityCredentials class, error: managed identity credentials request failed, status: 400, body: {"error":"invalid_request","error_description":"Identity not found"}

Can I use pg_password together with the Azure authentication?

No, when pg_azure_auth is enabled, pg_password will be ignored.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support