From 184392ca644d839f1d7cf9213e5c6cba35079209 Mon Sep 17 00:00:00 2001 From: David Levy Date: Mon, 26 Jan 2026 10:59:42 -0600 Subject: [PATCH 1/2] docs: update README for documentation freshness - Fix discussion link typo (#293 -> #292) - Update 'Switches not available' section to reflect current state - Most switches now implemented (-e, -f, -g, -k, -t, -z, -Z, -r, -X) - Only -j and -p[1] remain unimplemented - Add missing authentication methods to :Connect documentation - ActiveDirectoryInteractive, ActiveDirectoryAzCli, ActiveDirectoryDeviceCode - Fix ActiveDirectoryIntegrated description (no longer falls back) - Document additional authentication methods: - ActiveDirectoryWorkloadIdentity - ActiveDirectoryClientAssertion - ActiveDirectoryAzurePipelines - ActiveDirectoryEnvironment - ActiveDirectoryAzureDeveloperCli - ActiveDirectoryServicePrincipalAccessToken - SqlPassword --- README.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e4a1e35d..88720ad6 100644 --- a/README.md +++ b/README.md @@ -160,16 +160,19 @@ The following switches have different behavior in this version of `sqlcmd` compa ### Switches not available in the new sqlcmd (go-sqlcmd) yet -There are a few switches yet to be implemented in the new `sqlcmd` (go-sqlcmd) compared -to the original ODBC based `sqlcmd`, discussion [#293](https://github.com/microsoft/go-sqlcmd/discussions/292) -lists these switches. Please provide feedback in the discussion on which -switches are most important to you to have implemented next in the new sqlcmd. +Most switches from the original ODBC-based `sqlcmd` have been implemented. The following switches are not yet available: +| Switch | Description | +|--------|-------------| +| `-j` | Print raw error messages | +| `-p[1]` | Print statistics (optional colon format) | + +For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292). ### Miscellaneous enhancements - Console output coloring (see below) -- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlAuthentication`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. +- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlAuthentication`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. - The new `--driver-logging-level` command line parameter allows you to see traces from the `go-mssqldb` client driver. Use `64` to see all traces. - Sqlcmd can now print results using a vertical format. Use the new `--vertical` command line option to set it. It's also controlled by the `SQLCMDFORMAT` scripting variable. @@ -217,7 +220,7 @@ To use AAD auth, you can use one of two command line switches: `ActiveDirectoryIntegrated` -This method is currently not implemented and will fall back to `ActiveDirectoryDefault`. +This method uses integrated Windows authentication. On Windows, it uses the current user's credentials. On Linux and macOS, it uses Kerberos authentication (requires a properly configured Kerberos environment). `ActiveDirectoryPassword` @@ -237,6 +240,26 @@ Use this method when running sqlcmd on an Azure VM that has either a system-assi This method authenticates the provided username as a service principal id and the password as the client secret for the service principal. Provide a username in the form `@`. Set `SQLCMDPASSWORD` variable to the client secret. If using a certificate instead of a client secret, set `AZURE_CLIENT_CERTIFICATE_PATH` environment variable to the path of the certificate file. +`ActiveDirectoryAzCli` + +This method uses the Azure CLI to obtain an access token. You must be logged in to Azure CLI (`az login`) before using this method. + +`ActiveDirectoryDeviceCode` + +This method uses the device code flow for authentication. It displays a code that you enter at https://microsoft.com/devicelogin to authenticate. + +#### Additional authentication methods + +The following authentication methods are also supported via `--authentication-method`: + +- `ActiveDirectoryWorkloadIdentity` - For workload identity federation scenarios +- `ActiveDirectoryClientAssertion` - For client assertion authentication +- `ActiveDirectoryAzurePipelines` - For Azure Pipelines service connections +- `ActiveDirectoryEnvironment` - Uses environment variables for authentication +- `ActiveDirectoryAzureDeveloperCli` - Uses Azure Developer CLI credentials +- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained access token +- `SqlPassword` - SQL Server authentication (same as using `-U` and `-P` without `-G`) + #### Environment variables for AAD auth Some settings for AAD auth do not have command line inputs, and some environment variables are consumed directly by the `azidentity` package used by `sqlcmd`. From 86073c598f263905a9581462e13111630ec81fae Mon Sep 17 00:00:00 2001 From: David Levy Date: Thu, 16 Apr 2026 14:17:26 -0500 Subject: [PATCH 2/2] docs: fix inaccurate ActiveDirectoryIntegrated description and improve auth docs - Revert ActiveDirectoryIntegrated to accurate fallback description (driver still falls back to DefaultAzureCredential per source comment) - Add -f (codepage) to unimplemented switches table - Replace generic auth method descriptions with driver-verified details including actual env var names and connection parameters --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 07111ecf..4bb963be 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,7 @@ Most switches from the original ODBC-based `sqlcmd` have been implemented. The f | Switch | Description | |--------|-------------| +| `-f` | Input/output code page | | `-j` | Print raw error messages | | `-p[1]` | Print statistics (optional colon format) | @@ -222,7 +223,7 @@ To use AAD auth, you can use one of two command line switches: `ActiveDirectoryIntegrated` -This method uses integrated Windows authentication. On Windows, it uses the current user's credentials. On Linux and macOS, it uses Kerberos authentication (requires a properly configured Kerberos environment). +This method is not fully implemented in the go-mssqldb driver and currently falls back to `ActiveDirectoryDefault`. `ActiveDirectoryPassword` @@ -254,13 +255,13 @@ This method uses the device code flow for authentication. It displays a code tha The following authentication methods are also supported via `--authentication-method`: -- `ActiveDirectoryWorkloadIdentity` - For workload identity federation scenarios -- `ActiveDirectoryClientAssertion` - For client assertion authentication -- `ActiveDirectoryAzurePipelines` - For Azure Pipelines service connections -- `ActiveDirectoryEnvironment` - Uses environment variables for authentication -- `ActiveDirectoryAzureDeveloperCli` - Uses Azure Developer CLI credentials -- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained access token -- `SqlPassword` - SQL Server authentication (same as using `-U` and `-P` without `-G`) +- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads; optionally provide `client_id@tenant_id` as username and `tokenfilepath` parameter (defaults to `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_FEDERATED_TOKEN_FILE` env vars) +- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret +- `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection; requires `client_id@tenant_id` as username, plus `serviceconnectionid` and `systemtoken` connection parameters (or `AZURESUBSCRIPTION_CLIENT_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID`, `SYSTEM_ACCESSTOKEN` env vars) +- `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password) +- `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI) +- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained bearer token; set `SQLCMDPASSWORD` to the access token value +- `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`) #### Environment variables for AAD auth