Forum Discussion
EXECUTE AS in Azure SQL Managed Instance
Hi, folks.
I have a requirement to leverage EXECUTE AS on the definition of a stored procedure in one database that within its definition SELECTs data from a second database.
Microsoft's documentation outlines two methods for achieving this (at least two that I've found):
- Changing the TRUSTWORTHY property (the least desirable outcome); or
- Leveraging certificates (preferred approach.)
Reference article:
If I cherry-pick the following picture from the reference article, then where I'm struggling - specifically in the SQL Managed Instance (SQL MI) context - is with getting the certificate (shown as C1 in the picture) into both databases.
The method I used to create the certificate is as per Example A from the following article.
What I am struggling with is my inability to find a way for exporting-importing/transferring the certificate from one database to the other (just the public key) because all the literature I've found - excluding one article I'll come to in a moment - refers to exporting to and from a file, which you cannot do in SQL MI.
Here's example documentation for "normal" SQL outlining the dependencies on FROM FILE:
The exception I mentioned is included below. Essentially, what it suggests is creating the certificate outside of SQL MI and then importing it using the FROM BINARY parameters with CREATE CERTIFICATE.
I guess it's not a horrible suggestion, but as a support process I'd have to document and hand over, I want to be sure this is the only way to get one certificate into two Azure SQL MI databases before going down this path.
What I'm really hoping to hear is that this article's out-of-date and that there's a simpler way of achieving the requirement for enabling cross-database EXECUTE AS stored procedure scenarios.
As an aside, SETUSER is not an alternative I'm interested in.
Any suggestions are most welcome! I really want to avoid leveraging the TRUSTWORTHY property if I can.
Cheers,
Lain
Some "last ditch effort" searching to the rescue.
Turns out browsing the crypto functions saved the day - specifically, the CERTENCODED() function:
- Cryptographic Functions (Transact-SQL) - SQL Server | Microsoft Docs
- CERTENCODED (Transact-SQL) - SQL Server | Microsoft Docs
This solution is the kind of "simpler way" I had in mind, I just couldn't find it with my clumsy keyword searches.
I'll mark this as resolved as I'm not expecting any further issues now that the certificate has been copied across, but should anything odd come up with respect to the overall requirement, I'll re-open it with any new specifics.
Cheers,
Lain
- LainRobertsonSilver Contributor
Some "last ditch effort" searching to the rescue.
Turns out browsing the crypto functions saved the day - specifically, the CERTENCODED() function:
- Cryptographic Functions (Transact-SQL) - SQL Server | Microsoft Docs
- CERTENCODED (Transact-SQL) - SQL Server | Microsoft Docs
This solution is the kind of "simpler way" I had in mind, I just couldn't find it with my clumsy keyword searches.
I'll mark this as resolved as I'm not expecting any further issues now that the certificate has been copied across, but should anything odd come up with respect to the overall requirement, I'll re-open it with any new specifics.
Cheers,
Lain