Issue creating master key for Azure SQL Pool - Permission error - sql-server

I'm trying to follow this tutorial but I'm having issues with granting CONTROL permission.
This is on a Dedicated SQL pool (formerly SQL DW) within Azure by following this tutorial.
I initially try CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe'; which returns
User does not have permission to perform this action.
So I try to apply CONTROL permission to the user account:
GRANT CONTROL ON DATABASE::master TO useradmin
But this returns
Principal doesn't exist or doesn't have sufficient privileges.
I have search the web for a solution but I cant find one that has yet worked so any help or advice would be much appreciated!

To create MASTER key in azure SQL, follow below statement in Azure SQL data base.
CREATE MASTER KEY
GO
For more details refer this SO Thread by Alberto Morillo and also refer this Microsoft official document.
Updated:
I reproduced same thing in my environment its working fine .
sample code:
CREATE MASTER KEY ENCRYPTION BY PASSWORD='xxxx'
GO
CREATE DATABASE SCOPED CREDENTIAL [cred-name] WITH IDENTITY = 'User_name' , SECRET = 'xxxx'
GO

Related

Access multiple database in Azure SQL

I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.

Azure SQL Database not letting me create a Database Master Key

I created an Azure SQL Database AzureSQLTestDb in an Azure subscription. I can connect to this db using SSMS with my Azure SQL Admin login, as well as with my Azure AD account. I can run queries on it, as well. But following this article, from MS Azure team, when I try to create a Master key as follows, it gives me the error shown below. Question: What I may be missing here, and how can we resolve the issue?
Remarks: I know the above linked article mentions CONTROL permission required. But I am the one who created the db and the Azure SQL server.
-- Creates the master key.
-- The key is encrypted using the password "23987hxJ#KL95234nl0zBe".
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
Error:
Msg 15247, Level 16, State 1, Line 3
User does not have control permission to perform this action.
It seems like the issue with the permissions.
As per this official document, you need CONTROL permission on the database to create the master key.
You can GRANT CONTROL permission using below command:
GRANT CONTROL ON DATABASE::<dtabase:name> TO <user_name>
If the user already have CONTROL permission, try the ALTER command to create a new database master key and reencrypts the keys below it in the encryption hierarchy.
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';

SQL Azure connection error with User Assigned Managed Identity 'Login failed for user'

I have a function app that is assigned a user assigned managed identity, and it uses that to connect to the SQL database. This was working fine for a few days, but then suddenly stopped working, without any changes to db or the function app.
Error: Login failed for user '<ClientId>#<TenantId>'.
ClientId: ClientId of the user assigned managed identity.
Tenant Id: The tenant this identity exists in.
I searched online, and found ways to look into a more detailed error in sys.event_log. As per this, I see that error is 18456, and state is 68. Unfortunately state 68 for error 18456 is not documented anywhere. (Official doc).
This is how I create a SqlConnection (and note that this was working before, and the same code is working elsewhere in the same exact setup):
SqlConnection connection = new SqlConnection("Server=tcp:myserver.database.windows.net,1433;Database=MyDb;");
connection.AccessToken = await new AzureServiceTokenProvider("RunAs=App;AppId=<ClientId>").GetAccessTokenAsync("https://database.windows.net/");
The user was created in db using:
CREATE USER [<Name of user assigned identity>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<Name of user assigned identity>];
ALTER ROLE db_datawriter ADD MEMBER [<Name of user assigned identity>];
Any pointers to where I can look into next?
Note:
Using Azure Function Runtime 2.0 (dotnet core)
Using Microsoft.Azure.Services.AppAuthentication 1.4.0 (latest stable).
Has the service the Managed Identity is tied to been deleted and recreated? If so the thumbprint in Azure AD has changed which is what SQL Server recognizes. Unfortunately this is probably one of the few downsides to Managed Identities with SQL Databases and as far as I am aware the only service that requires this. Try deleting and recreating the user and see if that works.
Going forward if doing CI/CD deployments it would be beneficial to have a simple SQL script to Drop and Recreate the user in the DB every time the Service connected to it is redeployed.
Such as:
BEGIN
DROP USER [MSI NAME]
CREATE USER [MSI NAME] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [MSI NAME];
ALTER ROLE db_datawriter ADD MEMBER [MSI NAME];
END
GO
I couldn't find the root cause, but I am posting what helped me get unblocked so that hopefully it will help others in future.
For some reason all form of authentication (except by the AAD admin of the server) were failing on this server. So not only the user assigned identity authentication failed (which is described in the question above), but also contained user auth failed. Removing the user assigned identity from db and re-adding didn't work:
DROP USER [<Name of user assigned identity>];
CREATE USER [<Name of user assigned identity>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<Name of user assigned identity>];
ALTER ROLE db_datawriter ADD MEMBER [<Name of user assigned identity>];
Similarly dropping the contained user and recreating didn't work either.
DROP USER [ContainedUser];
CREATE USER [ContainedUser] WITH PASSWORD='******';
ALTER ROLE db_owner ADD MEMBER [ContainedUser];
I also noticed that the secondary (i.e. replica) was working fine and auth was working against it. So basically I concluded something is wrong with my primary, not sure what exactly.
So I decided to recreate the database:
I did a failover to the secondary.
Remove the replication link, and then deleted the bad server. (just deleting the db and doing rest of the steps below wasn't enough, I did try)
Recreated the server.
Reconfigured replication so that the db got created on the new server as secondary.
Did another failover so that the newly created db becomes the primary.
All auth worked fine.
To leverage a user-assigned identity, you will need to provide an additional configuration. Please see connection string support for the AppAuthentication library.
When creating the SQL user, make sure to use the name of the user-assigned identity resource rather than the site name.
I recently got a very similar error, and I am only posting in the case someone in the future finds the issue.
The error i got: Microsoft.Data.SqlClient.SqlException (0x80131904): Login failed for user ''.
Which is not a very descriptive exception, because the actual cause was because I had misspelled the database name, when building the SQL connection. It makes sense if you think about it, as it could not find the database I was looking for, and as such could not connect with the managed identity user created as a external provider in it. Hence the '' after user in the exception.
When i changed the misspelled database name back to the actual database name, authentication was successful again.

How to create a master key on the master database?What are the roles required to GRANT to the login and user of the master db for the same?

I am trying to create a master key on a master database of my azure sql datawarehouse. But my user does not have required permissions to do so. What are the roles need to be assigned/granted to the user or login of the azure sql datawarehouse? I was able to grant control permission using GUI of SSMS to the user of sql server instance on-prem. And also I was able to create a master key with the help of that role on master database of that sql server.The Scripts I used for that are:
CREATE LOGIN LoaderRC20 WITH PASSWORD = 'a123STRONGpassword!';
CREATE USER LoaderRC20 FOR LOGIN LoaderRC20;
ALTER ROLE dbmanager ADD MEMBER [LoaderRC20];
ALTER ROLE loginmanager ADD MEMBER [LoaderRC20];
ALTER ROLE db_owner ADD MEMBER [LoaderRC20];
GRANT CONTROL ON DATABASE::[master] to LoaderRC20;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
But there's no direct provision to provide such access to the user on azure sql warehouse using GUI of SSMS.The scripts that I used for on-prem sql server instance are not working for azure sql datawarehouse.The GRANT CONTROL ON DATABASE::[master] to LoaderRC20; threw an error that cannot grant,deny or revoke permissions to yourself,sa,dbo,sys,etc. Is there any script to give permissions to azure sql datawarehouse's user of master db so that I am able to create a master key on it?If yes, then what are those scripts and their sequence?I have really tried hard to find answers to these questions. Please help me to find the answers
Dbmanager is intended for creating databases and loginmanager to manage logins.
To create a master key (CREATE MASTER KEY) in Azure SQL just run the following statements on the user Azure SQL Database context not on the master database. If you try to create the master key on the master database you may run into error "Msg 15247". On the context of any user database you can try:
CREATE MASTER KEY
GO
or
CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyPassw0rdIsComplex.'
GO

AWS_ROLE credentials are not allowed for this account

I am getting the below message:
AWS_ROLE credentials are not allowed for this account.
I am trying to execute the below command to create a stage and the execute a book from my files in S3 to a table into my data warehouse.
use schema mydb.[myschema];
create stage mystage
url='s3://my-bucket'
credentials = (aws_role = 'arn:aws:iam::[]:role/myrole')
encryption=(type='AWS_SSE_KMS' kms_key_id = 'aws/key');
Based on the information in the comments I would recommend these changes that by good practice can be done from the suggest:
GRANT CREATE STATE ON WAREHOUSE <your_warehouse> TO ROLE aws_test;
This is based on the IAM role setup here
Let me know if that helps?
The option 2 is not allowed when the snowflake root account is created in Azure. This answer came to me through the Snowflake support. I then requested them to update the documentation and for me I am using the user and secret key for a while. https://docs.snowflake.net/manuals/user-guide/data-load-s3-config.html

Resources