Answer-first summary for fast verification
Answer: a database scoped credential
## Explanation When querying Azure Blob Storage from Azure Synapse Analytics serverless SQL pool using Shared Access Signature (SAS) authorization without defining a data source, the correct approach is to create a **database-scoped credential**. ### Why Database-Scoped Credential (Option D) is Correct: - **SAS Token Storage**: Database-scoped credentials are specifically designed to store authentication information, including SAS tokens, at the database level within Synapse Analytics. - **Ad-hoc Query Support**: This credential type enables ad-hoc queries using functions like `OPENROWSET` without requiring the creation of external data sources or external tables. - **Direct Access**: With a database-scoped credential containing the SAS token, you can directly query storage using syntax like: ```sql SELECT * FROM OPENROWSET( BULK 'https://storage1.blob.core.windows.net/container/file.csv', FORMAT = 'CSV', CREDENTIAL = 'my_scoped_credential' ) AS [result] ``` - **Security Scope**: The credential is scoped to the specific database, providing appropriate security boundaries. ### Why Other Options Are Incorrect: - **Stored Access Policy (Option A)**: This is an Azure Storage feature for managing SAS tokens at the storage account level, not a Synapse Analytics authentication mechanism for querying storage. - **Server-Level Credential (Option B)**: Server-level credentials exist in dedicated SQL pools but are not available or appropriate for serverless SQL pools in Synapse Analytics. - **Managed Identity (Option C)**: While managed identities provide excellent authentication for many Azure services, they are not used for SAS token-based authentication scenarios and would require different configuration approaches. ### Best Practice Consideration: Using database-scoped credentials with SAS tokens provides a secure and flexible method for ad-hoc queries while maintaining the principle of least privilege, as the SAS token can be configured with specific permissions and expiration times.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have an Azure Blob storage account named storage1 and an Azure Synapse Analytics serverless SQL pool named Pool1. You plan to execute ad-hoc queries from Pool1 that target data in storage1. You need to enable the use of shared access signature (SAS) authorization without defining a data source. What should you create first?
A
a stored access policy
B
a server-level credential
C
a managed identity
D
a database scoped credential