CREATE DATABASE SCOPED CREDENTIAL (Transact-SQL)

**APPLIES TO:** ![yes](media/yes.png)SQL Server (starting with 2008) ![yes](media/yes.png)Azure SQL Database ![yes](media/yes.png)Azure SQL Data Warehouse ![yes](media/yes.png)Parallel Data Warehouse

Creates a database credential. A database credential is not mapped to a server login or database user. The credential is used by the database to access to the external location anytime the database is performing an operation that requires access.

Topic link icon Transact-SQL Syntax Conventions

Syntax

 
CREATE DATABASE SCOPED CREDENTIAL credential_name   
WITH IDENTITY = 'identity_name'  
    [ , SECRET = 'secret' ]  
  

Arguments

credential_name
Specifies the name of the database scoped credential being created. credential_name cannot start with the number (#) sign. System credentials start with ##.

IDENTITY =’_identity_name_
Specifies the name of the account to be used when connecting outside the server. To import a file from Azure Blob storage using share key, the identity name must be SHARED ACCESS SIGNATURE. To load data into SQL DW, any valid value can be used for identity. For more information about shared access signatures, see Using Shared Access Signatures (SAS).

SECRET =’_secret_**‘**
Specifies the secret required for outgoing authentication. SECRET is required to import a file from Azure Blob storage. To load from Azure Blob storage into SQL DW or Parallel Data Warehouse, the Secret must be the Azure Storage Key.
> [!WARNING] > The SAS key value might begin with a’?’ (question mark). When you use the SAS key, you must remove the leading ‘?’. Otherwise your efforts might be blocked.

Remarks

A database scoped credential is a record that contains the authentication information that is required to connect to a resource outside SQL Server Most credentials include a Windows user and password.

Before creating a database scoped credential, the database must have a master key to protect the credential. For more information, see CREATE MASTER KEY (Transact-SQL).

When IDENTITY is a Windows user, the secret can be the password. The secret is encrypted using the service master key. If the service master key is regenerated, the secret is re-encrypted using the new service master key.

Information about database scoped credentials is visible in the sys.database_scoped_credentials catalog view.

Hereare some applications of database scoped credentials:

Permissions

Requires CONTROL permission on the database.

Examples

A. Creating a database scoped credential for your application.

The following example creates the database scoped credential called AppCred. The database scoped credential contains the Windows user Mary5 and a password.

-- Create a db master key if one does not already exist, using your own password.  
CREATE MASTER KEY ENCRYPTION BY PASSWORD='<EnterStrongPasswordHere>';  
  
-- Create a database scoped credential.  
CREATE DATABASE SCOPED CREDENTIAL AppCred WITH IDENTITY = 'Mary5',   
    SECRET = '<EnterStrongPasswordHere>';  
GO  

B. Creating a database scoped credential for a shared access signature.

The following example creates a database scoped credential that can be used to create an external data source, which can do bulk operations, such as BULK INSERT and OPENROWSET. Shared Access Signatures cannot be used with PolyBase in SQL Server, APS or SQL DW.

CREATE DATABASE SCOPED CREDENTIAL MyCredentials  
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'QLYMgmSXMklt%2FI1U6DcVrQixnlU5Sgbtk1qDRakUBGs%3D';

C. Creating a database scoped credential for PolyBase Connectivity to Azure Data Lake Store.

The following example creates a database scoped credential that can be used to create an external data source, which can be used by PolyBase in Azure SQL Data Warehouse.

Azure Data Lake Store uses an Azure Active Directory Application for Service to Service Authentication. Please create an AAD application and document your client_id, OAuth_2.0_Token_EndPoint, and Key before you try to create a database scoped credential.

CREATE DATABASE SCOPED CREDENTIAL ADL_User
WITH
    IDENTITY = '<client_id>@\<OAuth_2.0_Token_EndPoint>'
    SECRET = '<key>'
;

More information

Credentials (Database Engine)
ALTER DATABASE SCOPED CREDENTIAL (Transact-SQL)
DROP DATABASE SCOPED CREDENTIAL (Transact-SQL)
sys.database_scoped_credentials
CREATE CREDENTIAL (Transact-SQL)
sys.credentials (Transact-SQL)