If you’ve been a DBA for more than a day, you probably have a pretty good idea of what a login is. However, did you know that you can access resources outside of SQL Server without granting the login permissions everywhere, and also run job steps under accounts that don’t have SQL Server access? Say hello to credentials and proxies.
Credentials allow SQL Server to access servers, shares, and other external resources when the SQL Server login accessing those resources doesn’t have explicit permission to do so. A credential object is created that stores the necessary user name and password information, and then a SQL Server login can be mapped to the credential. This even works with SQL Server authentication!
Proxies allow a SQL Server Agent job to run under a credential that has access to do it’s business, even if the account doesn’t have SQL Server access. Lets walk through an example of creating a credential that a proxy can then make use of.
Football season is around the corner, and I’m feeling a Packers themed credential. ‘AaronRodgers’ is a domain user with permissions to my Windows server, but not my SQL Server.
USE master GO CREATE CREDENTIAL ExampleCredential WITH IDENTITY = 'KREUL01\AaronRodgers', SECRET = 'Lambeau12'; GO
Now we add a proxy that is mapped to the credential we just created.
USE msdb GO EXEC dbo.sp_add_proxy @proxy_name = 'ExampleProxy', @enabled = 1, @description = 'Powershell Proxy', @credential_name = 'ExampleCredential' ; GO
Once this proxy is added, it will appear in the ‘Unassigned Proxies’ folder under SQL Server Agent. Right click on the proxy, then select ‘Properties’, and select the subsystems you want to map the proxy to. Note that running T-SQL is not an option here, as those jobs must run under a database login. I chose Powershell for this example.
Now, when you add a job step in a SQL Server Agent job and select a subsystem you assigned the proxy to, you’ll be able to run the step as the proxy instead of the SQL Server Agent account. Hooray for limited exposure!