PolyBase in SQL Data Warehouse : How to provide azure_storage_account_key as KEYURI in Database Scope Credential Creation

Question

I am loading the data from Azure Blob storage container to SQL DW table through polybase. In The creation of Database scope credential I had to explicitly specify the azure storage key which I feel not secure. How I can replace it with a Key-URI like below. Can we achieve this through key-vault implementation. I am trying to implement a stored procedure with poly-base script by passing keyURI as input parameter for Database scope credential creation.

- Actual Syntax:

CREATE DATABASE SCOPED CREDENTIAL AzureStorageCredential
WITH
    IDENTITY = 'user',
    SECRET = 'azure_storage_account_key'
;

--Can we specify as below?

CREATE DATABASE SCOPED CREDENTIAL AzureStorageCredential
WITH
    IDENTITY = 'user',
    SECRET = 'KEY-URI'
;

score 2 · Answer 1 · answered Jan 26 '17 at 12:14

You could use a Shared Access Signature as per here which would give you greater control over, eg you could set a time-limit on it.

For me, creating scoped credentials is an admin task which you only need to do once per server, so I probably wouldn't automate it. It's then as secure as your source-code control process. You could use secondary keys and cycle them for example.

PolyBase in SQL Data Warehouse : How to provide azure_storage_account_key as KEYURI in Database Scope Credential Creation

1 Answers1