SQL Azure cross DB Query Privileges - sql-server

I'm currently working through an example on cross database queries on SQL Azure. http://www.c-sharpcorner.com/article/cross-database-queries-in-azure-sql/
I'm currently working on the following section -
CREATE EXTERNAL DATA SOURCE RefmyDemoDB2
WITH
(
TYPE=RDBMS,
LOCATION='your server name',
DATABASE_NAME='myDemoDB2',
CREDENTIAL= your “Server admin login”
);
I'm getting the following error The specified credential cannot be found or the user does not have permission to perform this action.
I have the correct LOCATION and DATABASE_NAME however the CREDENTIAL seems wrong. I am using the Server-Admin account that is displayed in the overview of the database server on Azure, I also use this role to log into management studio and can query both databases ok.
Can anyone please advise?

Try this, Creating new Credentials
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'STrongPA5swor$';
CREATE DATABASE SCOPED CREDENTIAL MyLogin
WITH IDENTITY = 'MyLogin',
SECRET = 'STrongPA5swor$';
CREATE EXTERNAL DATA SOURCE PHPSTGRemoteReferenceData
WITH
(
TYPE=RDBMS,
LOCATION='servername',
DATABASE_NAME='DBName',
CREDENTIAL= MyLogin
);
This works for me

Related

Database-to-Database queries using Managed Identity between Azure SQL Databases

I'm currently trying to answer a problem that can only be answered by combining the datasets of two different Azure SQL databases (different servers, if that matters).
When using user+password authentication, there was a way to do cross-database queries like this (Azure SQL Database Elastic Queries):
CREATE DATABASE SCOPED CREDENTIAL RemoteCredential WITH
IDENTITY = '<remote database user name>',
SECRET = '<remote database user password>'
CREATE EXTERNAL DATA SOURCE RemoteDatabase WITH (
Location = '<database server URL>',
DATABASE_NAME = '<database name>',
CREDENTIAL = RemoteCredential,
TYPE = RDBMS
)
CREATE EXTERNAL TABLE [dbo].[RemoteTable] (
<Remote table definition>
)
SELECT TOP(1) * FROM [RemoteTable]
That worked very well before but we have since migrated to using only managed-identity logins, and user + password authentication is no longer an option.
I've found below snipped to change the credential for managed identity in the context of accessing Azure Storage Accounts here:
CREATE DATABASE SCOPED CREDENTIAL RemoteCredential
WITH IDENTITY = 'Managed Identity'
But this results in the following error message:
Msg 33047, Level 16, State 5, Line 47
Fail to obtain or decrypt secret for credential 'RemoteCredential'.
I've also tried to provide my personal username or the source database server's name, but with the same result.
Some more details:
Both database servers are part of the same tenant and subscription
I've enabled system-assigned identity on the source database server that I am querying.
I've also created an external source user in the target database for the use with managed identity and granted it the required roles.
My user has the required permissions on both databases.
Access with managed identity from my Management Studio works fine for both databases.
The final solution would have to work with Azure SQL databases in Azure China, but I would be grateful for a solution in Azure Global as well.
My current assumption is that managed identity authentication towards other Azure SQL databases from within a SQL query is not yet supported. But maybe someone else has found a way to make this work.
Have you tried Azure SQL Database elastic query.
Is buggy and slow and it's in preview since 2 years now, but it's the closest thing I could find.

Why is my Azure SQL Elastic Query CREATE DATABASE SCOPED CREDENTIAL failing on "WITH Identity"?

I am trying to create an external table to be able to elastic query across databases on my Azure SQL server. I am following the steps outlined in:
https://learn.microsoft.com/en-us/azure/azure-sql/database/elastic-query-getting-started-vertical and https://www.mssqltips.com/sqlservertip/6445/azure-sql-cross-database-query/.
After creating the master key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<master_key_password>';
I then try to create the Database Scoped Credential that I am going to use to access the server for the external database.
CREATE DATABASE SCOPED CREDENTIAL = ElasticDBQueryCred
WITH IDENTITY = '<username I use to login to server>',
SECRET = '<password I use to login to server>';
The error then pops up on IDENTITY that says
Incorrect syntax near 'IDENTITY'. Expecting CREATEDBOPT_BACKUPSTORAGEREDUNDANCY, CREATEDBOPT_CATALOGCOLLATION, CREATEDBOPT_FILESTREAM, CREATEDBOPT_LOGAPPLY, CREATEDBOPT_OTHER, or CREATEDBOPT_PERSISTENT_LOG_BUFFER
There is nothing in the documentation about this.

Cannot find the CREDENTIAL because it does not exist or you do not have permission- Azure SQL Server

I've a Azure SQL database where I'm trying to create an external data source to load CSV data to database from a blob storage.
I've created a database scoped credential using the following query.
CREATE DATABASE SCOPED CREDENTIAL [https://forecaststorage01.blob.core.windows.net]
WITH IDENTITY = 'SHARED ACCESS KEY',
SECRET = 'SAS Token';
Then created an external data source,
CREATE EXTERNAL DATA SOURCE [demodata]
WITH (
TYPE = BLOB_STORAGE,
LOCATION = 'https://forecaststorage01.blob.core.windows.net',
CREDENTIAL = [https://forecaststorage01.blob.core.windows.net]
);
When I try to run the following query,
SET NOCOUNT ON;
BULK INSERT input.RawData
FROM 'csv-data/egypt_sales_data.csv'
WITH (DATA_SOURCE = 'demodata',
FORMAT = 'CSV');
It says
"Failed to execute query. Error: Cannot find the CREDENTIAL 'https://forecaststorage01.blob.core.windows.net' because it does not exist or you do not have permission.'
Then I've granted access to database scoped credential to the user 'dbo' using the following query,
GRANT CONTROL ON DATABASE SCOPED CREDENTIAL::[https://forecaststorage01.blob.core.windows.net] TO [dbo]
Then I tried to bulk insert again. But it still shows the error,
"Failed to execute query. Error: Cannot find the CREDENTIAL 'https://forecaststorage01.blob.core.windows.net', because it does not exist or you do not have permission.
"
Why I cannot access the database scoped credentials?
If you try to run the first statement on Azure SQL you should get an error:
'CREATE CREDENTIAL' is not supported in this version of SQL Server.
You have to use the CREATE DATABASE SCOPED CREDENTIAL command. And also the IDENTITY value must be SHARED ACCESS SIGNATURE not "key":
CREATE DATABASE SCOPED CREDENTIAL [https://forecaststorage01.blob.core.windows.net]
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'SAS Token';
That should fix your issue

Add user in SQL Server Management Studio 2017

I try (for the first time) to create a user account on my SQL Azure database.
I have read in some blogs that I have to create these command lines
CREATE LOGIN login_name WITH PASSWORD = 'strong_password';
CREATE USER 'user_name' FOR LOGIN 'login_name';
And then
USE [Database];
GO
GRANT CONNECT TO login_name;
But, when I try to connect with this new account on my database, I have the message error 916
The server principal "login_name is not able to access the database "master" under the current security context.
I don't understand because the don't create my new user for the master but for a specific database in my SQL Azure environment (I have 5 databases in my SQL Azure by the way)
If you have any idea to help me, thanks in advance
When first logging in, unless a database is specified in the connection string, a login connects to its default database. If the database is not specified in the CREATE LOGIN statement, the system default of master is used.
To fix this, use this for your CREATE LOGIN:
CREATE LOGIN login_name WITH PASSWORD = 'strong_password',
DEFAULT_DATABASE = MyDatabase;

Permissions issue trying to create an external data source on Azure SQL Database

Please bear with me as I am trying to learn Azure. I have in my resource group a SQL Server database, and a blob storage account with a container. I am the owner of these resources.
I am trying to create an external data source on my SQL database to link to my blob storage account, but I am running into a permissions issue that I cannot seem to resolve. Running the query:
CREATE EXTERNAL DATA SOURCE MyAzureBlobStorage
WITH (
TYPE = BLOB_STORAGE,
LOCATION = 'https://[redacted].blob.core.windows.net/'
);
Returns this error message:
Msg 15247, Level 16, State 1, Line 1
User does not have permission to perform this action.
My Google-fu seems to be betraying me, as I can't seem to find any references to this issue. Am I missing something basic? I'm browsing through my Azure Dashboard but I can't find any obvious way to manage specific database permissions, although I would have assumed that given that I am the owner, I had maximum possible permissions?
Please provide the credential as shown below:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'some strong password';
CREATE DATABASE SCOPED CREDENTIAL MyAzureBlobStorageCredential
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'sv=2015-12-11&ss=b&srt=sco&sp=rwac&se=2017-02-01T00:55:34Z&st=2016-12-29T16:55:34Z&spr=https&sig=copyFromAzurePortal';
CREATE EXTERNAL DATA SOURCE MyAzureBlobStorage
WITH ( TYPE = BLOB_STORAGE,
LOCATION = 'https://myazureblobstorage.blob.core.windows.net',
CREDENTIAL= MyAzureBlobStorageCredential);
I was having the same error when trying to create an EXTERNAL DATA SOURCE. What worked for me was add the grant CONTROL for the database user:
GRANT CONTROL to your_db_user

Resources