Subject:
HashiCorp Cloud Platform (HCP) Boundary Vault credential brokering to establish a connection to Microsoft SQL Server in Azure using SQL Server Management Studio (SSMS) / Azure Data Studio.
Pre-requisites:
- Setup HCP Vault Cluster ( Version greater than 1.7.0 )
- Setup HCP Boundary ( Version greater than 0.12.0 )
- Boundary worker version ( Version greater than 0.12.0 ) ( Built on Azure VM )
- SQL Server ( Built on Azure SQL Database )
- Installing the Boundary Desktop App provides an optional workflow. The 1.2.0 version or greater is required for Vault support, and installing the latest version is recommended.
Procedure:
When connecting to an MSSQL Server in Azure via SSMS / Azure Data Studio, the username and password are retrieved from the output of the boundary connect
command. The boundary connect
command is used to establish a connection to a target, and the resulting output contains base64-encoded credentials. Now to:
-
Connect to the Target: Use the
boundary connect
command to connect to the target. Replace<target-id>
with the actual target ID.boundary connect -target-id <target-id>
The output of this command will include a "Credentials:" section, displaying the base64-encoded credentials.
-
Decode Credentials: If desired, you can use the
jq
tool to parse the output and decode the credentials. Run the following command:boundary targets authorize-session -id <target-id> -format json | jq .
This command retrieves the session authorization details in JSON format and
jq .
is used to display the output. The "Credentials" section will include the base64-encoded username and password. -
Use Decoded Credentials in SSMS / Azure Data Studio: Take note of the decoded username and password from the output. You can use these credentials to establish a connection from SSMS / Azure Data Studio to SQL Server in Azure.
Example (decoded output):
"Credentials": {
"Username": "decoded-username",
"Password": "decoded-password"
}
-
Connect to MSSQL Server: Open SSMS / Azure Data Studio and use the decoded username and password to connect to the SQL Server in Azure. Enter the credentials in the SSMS / Azure Data Studio connection dialog.
- Server Name: Provide the Azure SQL Server name.
- Authentication: Choose "SQL Server Authentication."
- Username: Enter the decoded username.
- Password: Enter the decoded password.
Click "Connect" to establish the connection.
Important:
- The base64-encoded credentials in the "Credentials" section of the
boundary connect
output is securely retrieved and decoded using theboundary targets authorize-session
command.
- Please ensure that you have the necessary permissions and access to use the
boundary connect
andboundary targets authorize-session
commands.
-
In the context of Boundary's Target configuration, ensure that the specified default port aligns with the listening port number configured for SQL Server. This alignment is crucial to establish seamless connectivity and communication between Boundary and SQL Server instances.
- Always follow the best security practices when handling and storing credentials.
Conclusion:
This article provides a step-by-step guide for using HCP Boundary Vault credential brokering to obtain and use credentials for connecting to Microsoft SQL Server in Azure using SQL Server Management Studio (SSMS) / Azure Data Studio. The use of base64 encoding and decoding ensures the secure handling of credentials during the connection process.