Editja

Ixxerja permezz ta’

CREATE DATABASE SCOPED CREDENTIAL (Transact-SQL)

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW) SQL database in Microsoft Fabric

Creates a database credential. A database credential isn't mapped to a server login or database user. The database uses the credential to access the external resource, when it performs an operation that requires access.

Transact-SQL syntax conventions

Syntax

CREATE DATABASE SCOPED CREDENTIAL credential_name
WITH IDENTITY = 'identity_name'
    [ , SECRET = 'secret' ]
[ ; ]

Arguments

credential_name

Specifies the name of the database scoped credential being created. credential_name can't start with the number (#) sign. System credentials start with ##. The maximum length of credential_name is 128 characters.

IDENTITY = 'identity_name'

Specifies the name of the account to use when connecting outside the server.

  • To import a file from Azure Blob Storage or Azure Data Lake Storage using a shared key, the identity name must be SHARED ACCESS SIGNATURE. For more information about shared access signatures, see Using Shared Access Signatures (SAS). Only use IDENTITY = SHARED ACCESS SIGNATURE for a shared access signature.

  • To import a file from Azure Blob Storage using a managed identity, the identity name must be MANAGED IDENTITY.

  • When using Kerberos (Windows Active Directory or MIT KDC), don't use the domain name in the IDENTITY argument. It should just be the account name.

  • In a SQL Server instance, if you create a database scoped credential with a Storage Access Key used as the SECRET, IDENTITY is ignored.

  • WITH IDENTITY isn't required if the container in Azure Blob storage is enabled for anonymous access. For an example querying Azure Blob storage with OPENROWSET BULK, see Import into a table from a file stored on Azure Blob storage.

  • In SQL Server 2022 (16.x) and later versions, the REST-API connector replaces HADOOP. For Azure Blob Storage and Azure Data Lake Gen 2, the only supported authentication method is shared access signature. For more information, see CREATE EXTERNAL DATA SOURCE.

  • In SQL Server 2019 (15.x), the only PolyBase external data source that supports Kerberos authentication is Hadoop. All other external data sources (SQL Server, Oracle, Teradata, MongoDB, generic ODBC) only support Basic Authentication.

  • SQL pools in Azure Synapse Analytics include the following notes:

    • To load data into Azure Synapse Analytics, you can use any valid value for IDENTITY.
    • In an Azure Synapse Analytics serverless SQL pool, database scoped credentials can specify a workspace managed identity, service principal name, or shared access signature (SAS) token. Access via a user identity, enabled by User sign-in with Microsoft Entra pass-through authentication, is also possible with a database scoped credential, as is anonymous access to publicly available storage. For more information, see Supported storage authorization types.
    • In an Azure Synapse Analytics dedicated SQL pool, database scoped credentials can specify shared access signature (SAS) token, custom application identity, workspace managed identity, or storage access key.
Authentication T-SQL Supported Notes
Shared Access Signature (SAS) CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = 'SHARED ACCESS SIGNATURE', SECRET = 'secret'; SQL Server 2022 and later, Azure SQL Managed Instance, Azure Synapse Analytics, Azure SQL Database
Managed Identity CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = 'MANAGED IDENTITY'; Azure SQL Database, Azure SQL Managed Instance, SQL Server 2025 with Azure Arc To enable Azure Arc, see Managed identity for SQL Server enabled by Azure Arc
Microsoft Entra pass-through authentication via User Identity CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = 'USER IDENTITY'; Azure SQL Database, SQL database in Microsoft Fabric 1 In Azure Synapse, see User sign-in with Microsoft Entra pass-through authentication
S3 Access Key Basic authentication CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = 'S3 ACCESS KEY', SECRET = '<accesskey>:<secretkey>'; SQL Server 2022 and later versions
ODBC Data sources or Kerberos (MIT KDC) CREATE DATABASE SCOPED CREDENTIAL <credential_name> WITH IDENTITY = '<identity_name>', SECRET = '<secret>'; SQL Server 2019 and later versions

1 In SQL database in Microsoft Fabric, if you don't specify a database-scoped credential, the authentication method defaults to 'USER IDENTITY' and uses the Microsoft Entra ID user account as context.

SECRET = 'secret'

Specifies the secret required for outgoing authentication. SECRET is required to import a file from Azure Blob storage. To load from Azure Blob storage into Azure Synapse Analytics or Parallel Data Warehouse, the Secret must be the Azure Storage Key.

Warning

The SAS key value might begin with a question mark (?). When you use the SAS key, remove the leading ?.

Remarks

A database scoped credential is a record that contains the authentication information that is required to connect to a resource outside SQL Server. Most credentials include a Windows user and password.

To protect the sensitive information inside the database scoped credential, a database master key (DMK) is required. The DMK is a symmetric key that encrypts the secret in the database scoped credential. The database must have a DMK before you can create any database scoped credentials. Encrypt the DMK with a strong password. Azure SQL Database creates a DMK with a strong, randomly selected password as part of creating the database scoped credential, or as part of creating a server audit.

Users can't create the DMK on a logical master database. The DMK password is unknown to Microsoft and not discoverable after creation. Create a DMK before creating a database scoped credential. For more information, see CREATE MASTER KEY.

When IDENTITY is a Windows user, the secret can be the password. The secret is encrypted with the service master key (SMK). If you regenerate the SMK, the secret is re-encrypted with the new SMK.

When granting permissions for a shared access signature (SAS) for use with a PolyBase external table, select both Container and Object as allowed resource types. If you don't grant these permissions, you might receive error 16535 or 16561 when attempting to access the external table.

For information about database scoped credentials, see the sys.database_scoped_credentials catalog view.

Here are some applications of database scoped credentials:

Permissions

Requires CONTROL permission on the database.

Examples

A. Create a database scoped credential for your application

The following example creates the database scoped credential called AppCred. The database scoped credential contains the Windows user Mary5 and a password.

Create a DMK if one doesn't already exist. Do not use a blank password. Use a strong password.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>';

Create a database scoped credential:

CREATE DATABASE SCOPED CREDENTIAL AppCred
WITH IDENTITY = 'Mary5',
     SECRET = '<password>';

B. Create a database scoped credential for a shared access signature

The following example creates a database scoped credential that you can use to create an external data source. This credential can do bulk operations, such as BULK INSERT and OPENROWSET BULK.

Create a DMK if one doesn't already exist. Do not use a blank password. Use a strong password.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>';

Create a database scoped credential. Replace <key> with the appropriate value.

CREATE DATABASE SCOPED CREDENTIAL MyCredentials
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
     SECRET = '<key>';

C. Create a database scoped credential for PolyBase Connectivity to Azure Data Lake Store

The following example creates a database scoped credential that can be used to create an external data source, which can be used by PolyBase in Azure Synapse Analytics.

Azure Data Lake Store uses a Microsoft Entra application for service-to-service authentication.

Create a Microsoft Entra application and document your client_id, OAuth_2.0_Token_EndPoint, and Key before you try to create a database scoped credential.

Create a DMK if one doesn't already exist. Do not use a blank password. Use a strong password.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>';

Create a database scoped credential. Replace <key> with the appropriate value.

CREATE DATABASE SCOPED CREDENTIAL ADL_User
WITH IDENTITY = '<client_id>@<OAuth_2.0_Token_EndPoint>',
     SECRET = '<key>';

D. Create a database scoped credential using Managed Identity

Applies to: SQL Server 2025 (17.x) and later versions

SQL Server 2025 (17.x) introduces support for Microsoft Entra managed identities. For information on how to use a managed identity with SQL Server enabled by Azure Arc, see Managed identity for SQL Server enabled by Azure Arc.

EXECUTE sp_configure 'allow server scoped db credentials', 1;
RECONFIGURE;
GO

CREATE DATABASE SCOPED CREDENTIAL [managed_id]
WITH IDENTITY = 'Managed Identity';

E. Create a database scoped credential using Microsoft Entra ID

Applies to: Azure SQL Database, SQL database in Microsoft Fabric

In Azure SQL Database and SQL database in Microsoft Fabric, you can use your own Microsoft Entra ID account to authenticate an external data source.

In SQL database in Microsoft Fabric, if you don't specify a database-scoped credential, the authentication method defaults to USER IDENTITY and uses the Entra ID user account as context.

CREATE DATABASE SCOPED CREDENTIAL MyCredential
WITH IDENTITY = 'User Identity';

Related content

  • Last updated on