Script out SQL Server Credentials and Proxies

Problem

It is often a requirement to migrate a database from one SQL Server instance to another and that often involves migrating server objects used in the SQL Server Agent Jobs, but there is not an easy option to export credentials and proxies that are used for running SQL Server Agent jobs. In this tip we look at a way we can automtically generate scripts to recreate the credentials and proxies.

Solution

We will first setup a sample credential and proxy and then use this to generate the scripts.

Create Sample Credential and Proxy

We will first create a credential and proxy that we can then use to generate the creation scripts. We will use this link from Microsoft on how to create a proxy with credentials and then we will show the output of the script. The script from Microsoft is as follows. If you want to do this on your server, you will need to modify the IDENTITY value in the script for a valid account on your system.

-- creates credential CatalogApplicationCredential  
USE msdb;  
GO
CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY = 'REDMOND/TestUser', SECRET = 'G3$1o)lkJ8HNd!';  
GO  
-- creates proxy "Catalog application proxy" and assigns the credential 'CatalogApplicationCredential' to it
EXEC dbo.sp_add_proxy  
    @proxy_name = 'Catalog application proxy',  
    @enabled = 1,  
    @description = 'Maintenance tasks on catalog application.',  
    @credential_name = 'CatalogApplicationCredential' ;  
GO
  
-- grants the proxy "Catalog application proxy" access to the Operating System (CmdExec) subsystem.  
EXEC dbo.sp_grant_proxy_to_subsystem  
    @proxy_name = N'Catalog application proxy',  
    @subsystem_id = 3 ;  
GO

When this script from is run (with a valid domain user and password) it first creates the credential named “CatalogApplicationCredential” and then creates a proxy named “Catalog application proxy” and finally enables the proxy to run Operating System commands.

Generate Credential and Proxy Scripts Based on Existing Configuration

Now that we have an example credential and proxy, we can use this sample to generate the scripts so we can recreate these on another instance of SQL Server. Here is the script that will output the commands to create the credential and proxies from the system:

-- Get the credentials from sys.credentials, the password is unknown
SELECT 'CREATE CREDENTIAL '+[name]+' WITH IDENTITY='''+[credential_identity]+''',SECRET=''G3$1o)lkJ8HNd!'''
FROM [sys].[credentials]
ORDER BY [name]

-- Get the proxies from sp_help_proxy and sys.credentials
CREATE TABLE #Info ([proxy_id] INT, [name] SYSNAME, [credential_identity] SYSNAME, [enabled] TINYINT, [description] NVARCHAR(1024), [user_sid] VARBINARY(85), [credential_id] INT, [credential_identity_exists] INT)
INSERT INTO #Info 
EXEC sp_help_proxy
SELECT 'EXEC dbo.sp_add_proxy @proxy_name='''+[i].[name]+''',@enabled='+CAST([enabled] AS VARCHAR)+',@description='+(CASE WHEN [description] IS NULL THEN 'NULL' ELSE ''''+[description]+'''' END)+',@credential_name='''+[c].[name]+''''
FROM #Info [i]
INNER JOIN [sys].[credentials] [c] ON [c].[credential_id] = [i].[credential_id]
DROP TABLE #Info

-- Get the proxy authorizations from sp_enum_proxy_for_subsystem
CREATE TABLE #Info2([subsystem_id] INT, [subsystem_name] SYSNAME, [proxy_id] INT, [proxy_name] SYSNAME)
INSERT INTO #Info2 EXEC sp_enum_proxy_for_subsystem
SELECT 'EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name=N'''+[proxy_name]+''',@subsystem_id='+CAST([subsystem_id] AS VARCHAR) 
FROM #Info2
DROP TABLE #Info2

  • First we get the credentials from sys.credentials (note that you need to input the password the password will not be returned via the script).
  • Then we get the proxies from sp_help_proxy into a temp table to output as a command.
  • Finally we get the proxy authorizations from sp_enum_proxy_for_subsystem into a temp table to output as a command.

Here is the output it produces after it is run:

CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY='REDMOND/TestUser',SECRET='G3$1o)lkJ8HNd!'
EXEC dbo.sp_add_proxy @proxy_name='Catalog application proxy',@enabled=1,@description='Maintenance tasks on catalog application.',@credential_name='CatalogApplicationCredential'
EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name=N'Catalog application proxy',@subsystem_id=3

You can see, the output from the script is the same as the original provided by Microsoft, although formatted a little differenlty.

Note that you must know the password of the user specified in the credential, as there’s no official way to retrieve it. You will need to ask someone that knows the password or as a last resort, you will have to change it.

Next Steps

3 Comments

  1. For the credentials script, database context ‘MASTER’ should be ok, but for proxy scripts you need to run them under ‘MSDB’ database otherwise your script will fail.

  2. Hi PH, you can modify the column to allow nulls, and then check why the name is empty: [credential_identity] SYSNAME NULL

  3. Getting below error

    Msg 515, Level 16, State 2, Line 10
    Cannot insert the value NULL into column ‘credential_identity’, table ‘tempdb.dbo.#Info_______________________________________________________________________________________________________________000000211586’; column does not allow nulls. INSERT fails.
    The statement has been terminated.

Leave a Reply

Your email address will not be published. Required fields are marked *