The Infisical SQL Server secret rotation allows you to automatically rotate your database users’ passwords at a predefined interval.

Prerequisites

  1. Create two SQL Server logins and database users with the required permissions. We’ll refer to them as user-a and user-b.
  2. Create another SQL Server login with permissions to alter logins for user-a and user-b. We’ll refer to this as the admin login.

Here’s how to set up the prerequisites:

-- Create the logins (at server level)
CREATE LOGIN [user-a] WITH PASSWORD = 'ComplexPassword1';
CREATE LOGIN [user-b] WITH PASSWORD = 'ComplexPassword2';

-- Create database users for the logins (in your specific database)
USE [YourDatabase];
CREATE USER [user-a] FOR LOGIN [user-a];
CREATE USER [user-b] FOR LOGIN [user-b];

-- Grant necessary permissions to the users
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [user-a];
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [user-b];

-- Create admin login with permission to alter other logins
CREATE LOGIN [admin] WITH PASSWORD = 'AdminComplexPassword';
CREATE USER [admin] FOR LOGIN [admin];

-- Grant permission to alter any login
GRANT ALTER ANY LOGIN TO [admin];

To learn more about SQL Server’s permission system, please visit this documentation.

How it works

  1. Infisical connects to your database using the provided admin login credentials.
  2. A random value is generated and the password for user-a is updated with the new value.
  3. The new password is then tested by logging into the database.
  4. If test is successful, it’s saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
  5. The process is then repeated for user-b on the next rotation.
  6. The cycle repeats until secret rotation is deleted/stopped.

Rotation Configuration

1

Open Secret Rotation Page

Head over to Secret Rotation configuration page of your project by clicking on Secret Rotation in the left side bar

2

Click on Microsoft SQL Server card

3

Provide the inputs

Admin Username
string
required

SQL Server admin username

Admin password
string
required

SQL Server admin password

Host
string
required

SQL Server host url (e.g., your-server.database.windows.net)

Port
number
required

Database port number (default: 1433)

Database
string
required

Database name (default: master)

Username1
string
required

The first login name to rotate - user-a

Username2
string
required

The second login name to rotate - user-b

CA
string

Optional database certificate to connect with database

4

Configure the output secret mapping

When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project.

Environment
string
required

The environment where the rotated credentials should be mapped to.

Secret Path
string
required

The secret path where the rotated credentials should be mapped to.

Interval
number
required

What interval should the credentials be rotated in days.

DB USERNAME
string
required

Select an existing secret key where the rotated database username value should be saved to.

DB PASSWORD
string
required

Select an existing select key where the rotated database password value should be saved to.

FAQ