HCP Boundary Vault Credential Brokering for MSSQL Server Connection in Azure via SSMS / Azure Data Studio

Avatar
Abhineet Khanwalkar
  • Updated

Subject:

HashiCorp Cloud Platform (HCP) Boundary Vault credential brokering to establish a connection to Microsoft SQL Server in Azure using SQL Server Management Studio (SSMS) / Azure Data Studio.

 

Pre-requisites:

  • Setup HCP Vault Cluster ( Version greater than 1.7.0 )
  • Setup HCP Boundary ( Version greater than 0.12.0 )
  • Boundary worker version ( Version greater than 0.12.0 ) ( Built on Azure VM )
  • SQL Server ( Built on Azure SQL Database )
  • Installing the Boundary Desktop App provides an optional workflow. The 1.2.0 version or greater is required for Vault support, and installing the latest version is recommended.


Procedure:

When connecting to an MSSQL Server in Azure via SSMS / Azure Data Studio, the username and password are retrieved from the output of the boundary connect command. The boundary connect command is used to establish a connection to a target, and the resulting output contains base64-encoded credentials. Now to:

  1. Connect to the Target: Use the boundary connect command to connect to the target. Replace <target-id> with the actual target ID.

    boundary connect -target-id <target-id>

    The output of this command will include a "Credentials:" section, displaying the base64-encoded credentials.

  2. Decode Credentials: If desired, you can use the jq tool to parse the output and decode the credentials. Run the following command:

    boundary targets authorize-session -id <target-id> -format json | jq .

    This command retrieves the session authorization details in JSON format and jq . is used to display the output. The "Credentials" section will include the base64-encoded username and password.

  3. Use Decoded Credentials in SSMS / Azure Data Studio: Take note of the decoded username and password from the output. You can use these credentials to establish a connection from SSMS / Azure Data Studio to SQL Server in Azure.

    Example (decoded output):

    "Credentials": {
      "Username": "decoded-username",
      "Password": "decoded-password"
    }

  4. Connect to MSSQL Server: Open SSMS / Azure Data Studio and use the decoded username and password to connect to the SQL Server in Azure. Enter the credentials in the SSMS / Azure Data Studio connection dialog.

    • Server Name: Provide the Azure SQL Server name.
    • Authentication: Choose "SQL Server Authentication."
    • Username: Enter the decoded username.
    • Password: Enter the decoded password.

    Click "Connect" to establish the connection.

Important:

  • The base64-encoded credentials in the "Credentials" section of the boundary connect output is securely retrieved and decoded using the boundary targets authorize-session command.

  • Please ensure that you have the necessary permissions and access to use the boundary connect and boundary targets authorize-session commands.

  • In the context of Boundary's Target configuration, ensure that the specified default port aligns with the listening port number configured for SQL Server. This alignment is crucial to establish seamless connectivity and communication between Boundary and SQL Server instances.
  • Always follow the best security practices when handling and storing credentials.

Conclusion:

This article provides a step-by-step guide for using HCP Boundary Vault credential brokering to obtain and use credentials for connecting to Microsoft SQL Server in Azure using SQL Server Management Studio (SSMS) / Azure Data Studio. The use of base64 encoding and decoding ensures the secure handling of credentials during the connection process.

 

Reference:

HCP Boundary Vault credential brokering quickstart 

Articles in this section

Related articles