Credential Vault #
SQLSDC provides a simple vault to store credentials.
The following commands are available
vault list- list the stored credentials
vault test sqldsc_credential- prompt for a password and test if that is the password stored for
vault save sqldsc_credential [login]- prompt for a password and write that credential and password into the credential store. It will overwrite existing credentials. An optional login can be entered. Resource Blocks don’t need the
loginfrom the Vault Credential because they already have it. The
loginfrom the Credential is used when logging into SQL Servers.
The most common use case is creating identical logins across multiple servers with the same password. Examples include monitoring tools that require SQL Server logins or Availability Groups that need identical logins.
login resource, you can specify the
sqldsc_credential and it will use the password from that credential for the login.
The credentials are stored securely using the Windows DPAPI.
These are stored in a JSON file in
%LOCALAPPDATA%\sqldsc\.vault.json. This directory is specific to each user. You can see the credential name and login name in clear text but the password is encrypted. The login name isn’t used in the current release.
The DPAPI encrypts with a user key and an optional machine key. That means the file can’t be shared across users.