Forum Discussion

LainRobertson's avatar
LainRobertson
Silver Contributor
Sep 14, 2022

EXECUTE AS in Azure SQL Managed Instance

Hi, folks.

 

I have a requirement to leverage EXECUTE AS on the definition of a stored procedure in one database that within its definition SELECTs data from a second database.

 

Microsoft's documentation outlines two methods for achieving this (at least two that I've found):

 

  • Changing the TRUSTWORTHY property (the least desirable outcome); or
  • Leveraging certificates (preferred approach.)

 

Reference article:

 

 

If I cherry-pick the following picture from the reference article, then where I'm struggling - specifically in the SQL Managed Instance (SQL MI) context - is with getting the certificate (shown as C1 in the picture) into both databases.

 

 

 

The method I used to create the certificate is as per Example A from the following article.

 

 

What I am struggling with is my inability to find a way for exporting-importing/transferring the certificate from one database to the other (just the public key) because all the literature I've found - excluding one article I'll come to in a moment - refers to exporting to and from a file, which you cannot do in SQL MI.

 

Here's example documentation for "normal" SQL outlining the dependencies on FROM FILE:

 

 

The exception I mentioned is included below. Essentially, what it suggests is creating the certificate outside of SQL MI and then importing it using the FROM BINARY parameters with CREATE CERTIFICATE.

 

 

I guess it's not a horrible suggestion, but as a support process I'd have to document and hand over, I want to be sure this is the only way to get one certificate into two Azure SQL MI databases before going down this path.

 

What I'm really hoping to hear is that this article's out-of-date and that there's a simpler way of achieving the requirement for enabling cross-database EXECUTE AS stored procedure scenarios.

 

As an aside, SETUSER is not an alternative I'm interested in.

 

 

Any suggestions are most welcome! I really want to avoid leveraging the TRUSTWORTHY property if I can.

 

Cheers,

Lain

Resources