Azure SQL DB:使用PowerShell,参数化的SQL脚本和Azure Key Vault创建用户

时间:2018-07-24 12:19:16

标签: sql powershell azure azure-sql-database azure-keyvault

目标:

  • 在现有Azure SQL数据库中创建用户
  • 用户名应作为参数传递给创建用户的SQL脚本
  • 该密码作为秘密存储在Azure Key Vault中,并且应作为参数传递给创建用户的SQL脚本
  • 向创建的用户分配某些权限

2 个答案:

答案 0 :(得分:1)

代码:

DECLARE @username VARCHAR(50) = '$(username)';
DECLARE @password VARCHAR(50) = '$(password)';
DECLARE @schema VARCHAR(50) = 'xxx';

DECLARE @query NVARCHAR(MAX) = '
IF NOT EXISTS(SELECT * FROM sys.database_principals WHERE NAME = ' + CHAR(39) + @username + CHAR(39) + ')
    BEGIN
        CREATE USER ' + @username + ' WITH PASSWORD = ' + CHAR(39) + @password + CHAR(39) + ';
        ALTER USER ' + @username + ' WITH DEFAULT_SCHEMA = ' + @schema + ';
    END

--ALTER ROLE db_datareader ADD MEMBER @username;
--ALTER ROLE db_datawriter ADD MEMBER @username;
GRANT SELECT ON SCHEMA::' + @schema + ' TO ' + @username + ';
GRANT INSERT ON SCHEMA::' + @schema + ' TO ' + @username + ';
GRANT UPDATE ON SCHEMA::' + @schema + ' TO ' + @username + ';
GRANT DELETE ON SCHEMA::' + @schema + ' TO ' + @username + ';
GRANT EXECUTE ON SCHEMA::' + @schema + ' TO ' + @username + ';
';

EXECUTE (@query);
  • 对于PowerShell:
    • 必须在具有创建用户权限的连接字符串中使用用户及其凭据
    • 要使SQL脚本中的连接字符串中的密码分别存在,从安全密码到普通密码的“ hack”是必需的
    • 假定SQL脚本与PowerShell脚本处于同一级别或某个子文件夹
    • 必须安装SQL模块
      • Install-module -Name SqlServer -Scope CurrentUser

代码:

$passwordAdminSecure = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $adminSecretName).SecretValue
$passwordAdminPlain = (New-Object PSCredential "user",$passwordAdminSecure).GetNetworkCredential().Password

$dbConnectionString = "Server=tcp:$serverName.database.windows.net,1433;Initial Catalog=$dbName;Persist Security Info=False;User ID=$username;Password=$passwordAdminPlain;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"

$script = Get-ChildItem -Path $PSScriptRoot -Include scriptname.sql -Recurse

$userToCreate = 'xxx'
$passwordUserSecure = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $userSecretName).SecretValue
$passwordUserPlain = (New-Object PSCredential "user",$passwordUserSecure).GetNetworkCredential().Password

Invoke-Sqlcmd -InputFile $script -ConnectionString $dbConnectionString -Variable username=$userToCreate, password=$passwordUserPlain -Verbose

Write-Host "Added user $userToCreate!"
  • 通过以下查询,您可以检查具有分配权限的现有用户

代码:

SELECT DISTINCT 
    pr.principal_id, 
    pr.name, 
    pr.type_desc, 
    pr.authentication_type_desc, 
    pe.state_desc, 
    pe.permission_name
FROM sys.database_principals AS pr
JOIN sys.database_permissions AS pe
    ON pe.grantee_principal_id = pr.principal_id;

答案 1 :(得分:1)

  

我反复遇到使用正确的参数表示法的麻烦。

您正在混合使用SQLCMD变量和TSQL变量。这很棘手。

从PowerShell编写SQL时,我发现最好让Powershell构建最终查询。像这样:

$username = "joe"
$password = "23948230948"
$schema = "dbo"


$sql = @"
IF NOT EXISTS(SELECT * FROM sys.database_principals WHERE NAME = '$username')
    BEGIN
        CREATE USER $username WITH PASSWORD = '$password';
        ALTER USER $username WITH DEFAULT_SCHEMA = $schema;
    END


GRANT SELECT ON SCHEMA::$schema TO $username;
GRANT INSERT ON SCHEMA::$schema TO $username;
GRANT UPDATE ON SCHEMA::$schema TO $username;
GRANT DELETE ON SCHEMA::$schema TO $username;
GRANT EXECUTE ON SCHEMA::$schema TO $username;
"@

invoke-sqlcmd $sql
相关问题
最新问题