I have stored SQL server credentials(like username, password) in the secrets of azure keyvault.
For this, I have created keyvault connector(Get secrets) and SQL server connector(Execute query).
But as per requirement I need to add the dynamic SQL server connector who will fetch the SQL server credentials from secrets and try to login.
So is there any way to make SQL server connector dynamic.
No, this is not possible. Azure stores the service (in this case a SQL database) credentials and connection information in an API Connection resource and this is currently the only way that these actions can work.
As an alternative, you could use Azure Functions to connect to the database, which have many of the same triggering patterns available and allow you to write any code you need (within reason) to acquire secrets through whatever mechanism is most suitable.
Related
So, we have made a web application login protocol via which users can query a database on Azure SQL Server with sensitive data. Now partner-organizations want to use the same app to query their own databases on their own Azure SQL Server.
Is there a way where we can ensure that as admin + host of the web application we don't have access to their sensitive data, while we are able to send user from the correct Identity Provider through.
Until so far I found the OAuth 2.0 Token Introspection, specifically this implementation: https://wiki.surfnet.nl/pages/viewpage.action?pageId=23794471. Is there a way to implement this within Azure around the Azure SQL Server (if needed via a very simple API)?
Azure built-in reader role:
View all resources, but does not allow you to make any changes.
EDIT: If the problem is security you need to solve it through security countermeasure like Always Encrypted:
This provides a separation between those who own the data and can view
it, and those who manage the data but should have no access -
on-premises database administrators, cloud database operators, or
other high-privileged unauthorized users.
I want to deploy my web application including a SQL Server 2008 database from my local machine to my hoster.
So far I used the Windows authentication, is it necessary to switch to username and password when I want to make my application public on the internet?
And if that's the case, what's the best practice to hide that information if they are saved as strings in the web.config?
Side note: I use Linq to Entities as Object Mapper and within the code I use
HttpContext.Current.User to authenticate the user
If you are not using shared hosting, then you can keep using windows authentication which is more secure than having SQL server user.
You should also disable remote connections so that no one can directly access SQL server to make it more secure.
For encrypting connection string check this site.
The Oracle Wallet Manager allows admins to store and manage database login credentials securely by wrapping the them in a password-protected container. I have used this in the past to run VBScripts that update tables in an Oracle database, without prompting the user for a password or storing the password in cleartext in the script itself.
Now, I have written some Powershell scripts that update a SQL Server database, but I have had to store the passwords in cleartext in the scripts.
I was wondering if there was an equivalent to the Oracle Wallet feature in SQL Server? Or would I have to store passwords in a text file and encrypt it using Powershell's ConvertFrom-SecureString? I'm looking for a secure and flexible solution.
The easy way for one-off scripts, accessing specific databases, is to use scheduled tasks. You set them to run as a specific account which has the appropriate permissions, then you don't have to worry about SQL Logins or passwords.
If you want something similar to Oracle's Wallet manager, then you should look at Credentials, and Proxies in MS SQL server.
See: Security Questions: Logins Credentials and Proxies
The Credential allows you to store and manage Login information.
A proxy is used by SQL Server Agent to map credentials to SQL Server Agent subsystems (i.e. PowerShell or SSIS).
Here is a link to a detailed guide on creating Credentials and Proxies and: Run Operating System Commands in SQL Agent using PowerShell
Is there any way to use SQL Server Auditing when the primary database interaction is from a website without impersonation?
All database actions come from a web application whose connection string uses a single logon / password. In the website, user authentication / creation comes from the membership provider, but is not passed through to the SQL Server. I would like to audit which website user performed which action on the SQL Server using the built-in audit mechanism.
Our custom SharePoint site uses a standard connection string (in web.config) to a remote sql server using a sql server authentication. I need to know if it is possible to change this connection to use a SharePoint service account instead of a sql server account. If so, how do specify the service account in the connection string and how do you create a login and user for an sp service account when that user does not exist on the sql server machine and nor is it available on Active Directory.
Update:
I think I need to use integrated security in the connection string and run db calls within SPSecurity.RunWithElevatedPrivileges block. If i use this as a delegate, what sp account will the code be executed under and how do i assign a sql server login to a sharepoint account on a remote machine. Any links to sample code or articles explaining this process would be helpful.
Thanks.
From the SQL Server side, you should create a domain account for Sharepoint in AD. Then you log in to SQL Server via Management Studio (SQL2005 or later), on the left hand side click on security tab, and add a new login - you'll enter the domain Sharepoint service account, and give it the relevant permissions to the databases it needs to access.
For the Sharepoint side, you probably can edit web.config but there must be a Sharepoint admin tool to take care of this properly.