Azure Managed Database
Rotate Azure Managed Database credentials with Keeper
In this section, you will learn how to rotate DB User or Admin credentials on the following Azure Managed Databases:
Azure SQL
Rotating Admin/Regular Azure SQL Database Users with Keeper
Overview
In this guide, you'll learn how to rotate passwords for Azure SQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure SQL is an Azure managed resource where the SQL Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Users are defined in the PAM User record type.
For Azure Managed SQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the linked admin credentials and executes the necessary SQL statements to change the password.
See the Azure Overview for a high level overview and getting started with Azure
Prerequisites
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
The Keeper Gateway is able to communicate with your Azure SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
1. Set up a PAM Database Record
The PAM Database record links to admin credentials and contains the necessary configurations to connect to the SQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure SQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: Azure SQL Admin
Hostname or IP Address
The Database Server name i.e testdb-sql.mssql.database.azure.com
Port
For default ports, see port mapping
Ex: 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User providing the Admin account username and password that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database ID
Name of the Azure Database Server i.e. testdb-sql
Database Type
mssql
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
2. Set up PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure SQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
For more details on all the configurable fields in the PAM Configuration record, visit this page.
3. Set up one or more PAM User records
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. Azure DB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Azure MySQL - Single or Flexible Database
Rotating Admin/Regular Azure MySQL Single or Flexible Database Users with Keeper
Overview
In this guide, you'll learn how to rotate passwords for Azure MySQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MySQL is an Azure managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Azure Managed MySQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
See the Azure Overview for a high level overview and getting started with Azure
In 2024, Azure is going to sunset the non-flexible MySQL managed services. Most likely the term flexible will be removed. See: What's happening to Azure Database for MySQL Single Server?
Prerequisites
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
Your Keeper Gateway is able to communicate with the Azure MySQL Server Database
1. Set up a PAM Database Record
The PAM Database record links to the admin credentials and necessary configurations to connect to the MySQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MySQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: Azure MySQL Admin
Hostname or IP Address
The Database Server name i.e testdb-sql.mysql.database.azure.com
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username and password that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Database ID
Name of the Azure Database Server i.e. testdb-sql
Database Type
mysql or mysql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
2. Set up PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MySQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services
Tenant ID
The UUID of the Azure Active Directory
For more details on all the configurable fields in the PAM Configuration record, visit this page.
3. Set up one or more PAM User records
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. Azure DB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Azure MariaDB Database
Rotating Admin/Regular Azure MariaDB Database Users with Keeper
Overview
In this guide, you'll learn how to rotate passwords for Azure MariaDB Users and Admin accounts on your Azure environment using KeeperPAM. Azure MariaDB is an Azure managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MariaDB Users are defined in the PAM User record type.
For Azure Managed MariaDB database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
See the Azure Overview for a high level overview and getting started with Azure
Prerequisites
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
Your Keeper Gateway is able to communicate with the Azure Managed MariaDB database
1. Set up a PAM Database Record
The PAM Database record links to the admin credentials and necessary configurations to connect to the MariaDB server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MariaDB Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: Azure MariaDB Admin
Hostname or IP Address
The Database Server name i.e testdb-mariadb.mariadb.database.azure.com
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Database ID
Name of the Azure Database Server i.e. testdb-mariadb
Database Type
mariadb or mariadb-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
2. Set up PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MariaDB database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
For more details on all the configurable fields in the PAM Configuration record, visit this page.
3. Set up one or more PAM User records
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. Azure MariaDB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Azure PostgreSQL - Single or Flexible Database
Rotating Admin/Regular Azure PostgreSQL Single or Flexible Database Users with Keeper
Overview
In this guide, you'll learn how to rotate passwords for Azure PostgreSQL Database Users and Admin accounts on your Azure environment using KeeperPAM. Azure PostgreSQL is an Azure managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Azure Managed PostgreSQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
See the Azure Overview for a high level overview and getting started with Azure
Prerequisites
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
Your Keeper Gateway is able to communicate with the Azure Managed PostgreSQL database
1. Set up a PAM Database Record
The PAM Database record links to the admin credentials and necessary configurations to connect to the PostgreSQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure PostgreSQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: Azure PostgreSQL Admin
Hostname or IP Address
The Database Server name i.e testdb-psql.postgresql.database.azure.com
Port
For default ports, see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1.
Database ID
Name of the Azure Database Server i.e. testdb-psql
Database Type
postgresql or postgresql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
2. Set up PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment..
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure PostgreSQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
For more details on all the configurable fields in the PAM Configuration record, visit this page.
3. Set up one or more PAM User records
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. Azure PostgreSQL User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.