ContextQMD
Back to Infisical

Microsoft SQL Server

docs/documentation/platform/pam/getting-started/resources/mssql.mdx

0.159.257.5 KB
Original Source

Infisical PAM supports secure, just-in-time access to Microsoft SQL Server databases. This allows your team to access MsSQL without sharing long-lived credentials, while maintaining a complete audit trail of who accessed what and when.

How It Works

MsSQL access in Infisical PAM uses an Infisical Gateway to securely proxy connections to your MsSQL server. When a user requests access, Infisical establishes a secure tunnel through the Gateway, enabling secure access without exposing your MsSQL instance directly.

mermaid
sequenceDiagram
    participant User
    participant CLI as Infisical CLI
    participant Infisical
    participant Gateway as Infisical Gateway
    participant MsSQL as MsSQL Server

    User->>CLI: Request MsSQL access
    CLI->>Infisical: Authenticate & request session
    Infisical-->>CLI: Session credentials & Gateway info
    CLI->>CLI: Start local proxy
    CLI->>Gateway: Establish secure tunnel
    Gateway->>MsSQL: Establish connection
    Gateway->>MsSQL: Authenticate with credentials
    User->>CLI: SQL queries
    CLI->>Gateway: Proxy requests
    Gateway->>MsSQL: Forward queries
    MsSQL-->>Gateway: Response
    Gateway-->>CLI: Return response
    CLI-->>User: Query output

Key Concepts

  1. Gateway: An Infisical Gateway deployed in your network that can reach the MsSQL server. The Gateway handles secure communication between users and your MsSQL instance.

  2. Authentication: Credentials (username/password) are stored securely in Infisical and used by the Gateway to authenticate with MsSQL on behalf of the user.

  3. Local Proxy: The Infisical CLI starts a local proxy on your machine that intercepts MsSQL connections and routes them securely through the Gateway to your MsSQL instance.

  4. Session Tracking: All access sessions are logged, including when the session was created, who accessed the MsSQL instance, session duration, and when it ended.

Session Tracking

Infisical tracks:

  • When the session was created
  • Who accessed which MsSQL instance
  • Session duration
  • When the session ended
<Info> **Session Logs**: After ending a session (by stopping the proxy), you can view detailed session logs in the Sessions page. </Info>

Prerequisites

Before configuring MsSQL access in Infisical PAM, you need:

  1. Infisical Gateway - A Gateway deployed in your network with access to the MsSQL server
  2. MsSQL Credentials - Username and password for the MsSQL instance
  3. Infisical CLI - The Infisical CLI installed on user machines
<Warning> **Gateway Required**: MsSQL access requires an Infisical Gateway to be deployed and registered with your Infisical instance. The Gateway must have network connectivity to your MsSQL server. </Warning>

Create the PAM Resource

The PAM Resource represents the connection between Infisical and your MsSQL instance.

<Steps> <Step title="Ensure Gateway is Running"> Before creating the resource, ensure you have an Infisical Gateway running and registered with your Infisical instance. The Gateway must have network access to your MsSQL server. </Step> <Step title="Create the Resource in Infisical"> 1. Navigate to your PAM project and go to the **Resources** tab 2. Click **Add Resource** and select **Microsoft SQL Server** 3. Enter a **Name** for the resource (e.g., `production-mssql`, `staging-db`) 4. Select the **Gateway** that has access to this MsSQL instance 5. Enter the **Host** - the hostname or IP address of your MsSQL server (e.g., `mssql.example.com` or `192.168.1.100`) 6. Enter the **Database Name** - the database to connect to 7. Enter the **Port** - the MsSQL port (default: `1433`) 8. Configure SSL/TLS options: - **Enable SSL**: Toggle to enable TLS/SSL connections (enabled by default) - **Reject Unauthorized**: Toggle to verify SSL certificates (enabled by default, recommended for production) - **Trusted CA SSL Certificate**: Optional CA certificate for custom certificate authorities 
<Note>
  **SSL Configuration**: SSL is enabled by default. For self-signed certificates, you may need to provide the CA certificate or disable certificate validation (not recommended for production).
</Note>
</Step> </Steps>

Create PAM Accounts

Once you have configured the PAM resource, you'll need to configure a PAM account for your MsSQL resource. A PAM Account represents a specific set of credentials that users can request access to. You can create multiple accounts per resource, each with different permission levels.

<Steps> <Step title="Navigate to Resource"> Go to the **Resources** tab in your PAM project and open the MsSQL resource you created. </Step> <Step title="Add New Account"> Click **Add Account**. </Step> <Step title="Fill in Account Details"> Fill in the account details: 
<ParamField path="Name" type="string" required>
  A friendly name for this account (e.g., `readonly-user`, `admin-access`)
</ParamField>

<ParamField path="Description" type="string">
  An optional description for this account.
</ParamField>

<ParamField path="Username" type="string" required>
  The MsSQL username.
</ParamField>

<ParamField path="Password" type="string" required>
  The MsSQL password.
</ParamField>

<ParamField path="Require MFA for Access" type="boolean">
  When enabled, users must complete a multi-factor authentication (MFA) challenge before accessing this account. The MFA method used is determined by the organization's enforced method, the user's configured method, or email as a fallback.
</ParamField>
</Step> </Steps>

Access MsSQL Account

Once your resource and accounts are configured, users can request access through the Infisical CLI:

<Steps> <Step title="Get the Access Command"> 1. Navigate to the **Resources** tab in your PAM project and open the MsSQL resource 2. In the resource's accounts section, find the account you want to access 3. Click the **Access** button for that account 4. Copy the provided CLI command 
The command follows this format:
```bash
infisical pam db access --resource <resource-name> --account <account-name> --project-id <project-id> --duration <duration> --domain <infisical-url>
```
</Step> <Step title="Run the Access Command"> Run the copied command in your terminal. 
The CLI will:
1. Authenticate with Infisical
2. Establish a secure connection through the Gateway
3. Start a local proxy on your machine
4. Display a local connection URL you can use to connect
</Step> <Step title="Connect to MsSQL"> Once the proxy is running, connect to MsSQL using the connection details displayed by the CLI. You can use any MsSQL client — no password is needed, as the Gateway injects the real credentials on your behalf. 
**Using sqlcmd:**
```bash
sqlcmd -S 127.0.0.1,<port> -U <username> -d <database>
```

**Using other clients:**

You can also use GUI clients such as SQL Server Management Studio (SSMS), Azure Data Studio, DBeaver, DataGrip, or TablePlus. Point them to `127.0.0.1` on the port shown in the CLI output with the username and database from the connection details. Leave the password field empty.
</Step> <Step title="End the Session"> When you're done, stop the proxy by pressing `Ctrl+C` in the terminal where it's running. This will: - Close the secure tunnel - End the session - Log the session details to Infisical 
You can view session logs in the **Sessions** page of your PAM project.
</Step> </Steps>