I'm working on a project where I have a number of SQL Servers (think lab, acceptance, prod), and a number of databases running on each of them. My application will execute migrations on those databases, triggerable through a .NET API and accompanying web interface: the application will make the mapping (authorization) between the AD user requesting the migration, and the gMSA account that will be executing the migration, installed on the IIS webserver where my application runs.
Each database belongs to a project, and all databases' structure for a specific project can be modified by a gMSA account.
My question: how would you tackle impersonating these gMSA accounts? Remember that there are many: just configuring my IIS application to run as a particular gMSA user is not an option.
Some ideas I had myself:
- .NET impersonation: I can't find how this would work with gMSA accounts, some questions have been asked about it but they all have gone unanswered
- Running a powershell service for each gMSA account, which periodically checks and picks up new migration requests
- Running the API with a gMSA account, and give that one access to all databases on all servers.
The first one is my best-case scenario, two I won't attempt due to operational complexity. The third is my backup plan but obviously has some potential security risks (although an argument could be made that authorization is anyway the responsibility of my API).
Looking forward to your opinions.