|
| 1 | +--- |
| 2 | +title: Rotate SQL Managed Instance service-managed credentials (preview) |
| 3 | +description: Rotate SQL Managed Instance service-managed credentials (preview) |
| 4 | +services: azure-arc |
| 5 | +ms.service: azure-arc |
| 6 | +ms.subservice: azure-arc-data |
| 7 | +author: GuptaSeattle |
| 8 | +ms.author: guptapra |
| 9 | +ms.reviewer: mikeray |
| 10 | +ms.date: 03/06/2023 |
| 11 | +ms.topic: how-to |
| 12 | +--- |
| 13 | +# Rotate Azure Arc-enabled SQL Managed Instance service-managed credentials (preview) |
| 14 | + |
| 15 | +This article describes how to rotate service-managed credentials for Azure Arc-enabled SQL Managed Instance. Arc data services generates various service-managed credentials like certificates and SQL logins used for Monitoring, Backup/Restore, High Availability etc. These credentials are considered custom resource credentials managed by Azure Arc data services. |
| 16 | + |
| 17 | +Service-managed credential rotation is a user-triggered operation that you initiate during a security issue or when periodic rotation is required for compliance. |
| 18 | + |
| 19 | +## Limitations |
| 20 | + |
| 21 | +Consider the following limitations when you rotate a managed instance service-managed credentials: |
| 22 | + |
| 23 | +- SQL Server failover groups aren't supported. |
| 24 | +- Automatically pre-scheduled rotation isn't supported. |
| 25 | +- The service-managed DPAPI symmetric keys, keytab, active directory accounts, and service-managed TDE credentials aren't included in this credential rotation. |
| 26 | +- SQL Managed Instance Business Critical tier isn't supported. |
| 27 | +- This feature should not be used in production currently. There is a known limitation where _rollback_ cannot be triggered unless credential rotation is completed successfully and the SQLMI is in "Ready" state. |
| 28 | + |
| 29 | +## General Purpose tier |
| 30 | + |
| 31 | +During a SQL Managed Instance service-managed credential rotation, the managed instance Kubernetes pod is terminated and reprovisioned when new credentials are generated. This process causes a short amount of downtime as the new managed instance pod is created. To handle the interruption, build resiliency into your application such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on how to architect resiliency and [retry guidance for Azure Services](/azure/architecture/best-practices/retry-service-specific#sql-database-using-adonet). |
| 32 | + |
| 33 | +## Prerequisites: |
| 34 | + |
| 35 | +Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created. |
| 36 | + |
| 37 | +- [An Azure Arc-enabled SQL Managed Instance created](./create-sql-managed-instance.md) |
| 38 | + |
| 39 | +## How to rotate service-managed credentials in a managed instance |
| 40 | + |
| 41 | +Service-managed credentials are associated with a generation within the managed instance. To rotate all service-managed credentials for a managed instance, the generation must be increased by 1. |
| 42 | + |
| 43 | +Run the following commands to get current service-managed credentials generation from spec and generate the new generation of service-managed credentials. This action triggers a service-managed credential rotation. |
| 44 | + |
| 45 | +```console |
| 46 | +rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) + 1)) |
| 47 | +``` |
| 48 | + |
| 49 | + |
| 50 | +```console |
| 51 | +kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' |
| 52 | +``` |
| 53 | +--- |
| 54 | + |
| 55 | +The `managedCredentialsGeneration` identifies the target generation for the service-managed credentials. The rest of the features like configuration and the kubernetes topology remain the same. |
| 56 | + |
| 57 | +## How to roll back service-managed credentials in a managed instance |
| 58 | + |
| 59 | +> [!NOTE] |
| 60 | +> Rollback is required when credential rotation failed for any reasons. Rollback to previous credentials generation is supported only once to n-1 where n is current generation. |
| 61 | +
|
| 62 | +Run the following two commands to get current service-managed credentials generation from spec and rollback to the previous generation of service-managed credentials: |
| 63 | + |
| 64 | +```console |
| 65 | +rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) - 1)) |
| 66 | +``` |
| 67 | + |
| 68 | +```console |
| 69 | +kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' |
| 70 | +``` |
| 71 | + |
| 72 | +Triggering rollback is the same as triggering a rotation of service-managed credentials except that the target generation is previous generation and doesn't generate a new generation or credentials. |
| 73 | + |
| 74 | +## Next steps |
| 75 | + |
| 76 | +- [View the SQL managed instance dashboards](azure-data-studio-dashboards.md#view-the-sql-managed-instance-dashboards) |
| 77 | +- [View SQL Managed Instance in the Azure portal](view-arc-data-services-inventory-in-azure-portal.md) |
0 commit comments