Microsoft Azure Data Engineer Associate - DP-203

Get started today

Ultimate access to all questions.

Explanation:

Explanation

When querying Azure Blob Storage from Azure Synapse Analytics serverless SQL pool using Shared Access Signature (SAS) authorization without defining a data source, the correct approach is to create a database-scoped credential.

Why Database-Scoped Credential (Option D) is Correct:

SAS Token Storage: Database-scoped credentials are specifically designed to store authentication information, including SAS tokens, at the database level within Synapse Analytics.
Ad-hoc Query Support: This credential type enables ad-hoc queries using functions like OPENROWSET without requiring the creation of external data sources or external tables.

Direct Access: With a database-scoped credential containing the SAS token, you can directly query storage using syntax like:

SELECT * FROM OPENROWSET(
    BULK 'https://storage1.blob.core.windows.net/container/file.csv',
    FORMAT = 'CSV',
    CREDENTIAL = 'my_scoped_credential'
) AS [result]

SELECT * FROM OPENROWSET(
    BULK 'https://storage1.blob.core.windows.net/container/file.csv',
    FORMAT = 'CSV',
    CREDENTIAL = 'my_scoped_credential'
) AS [result]

Security Scope: The credential is scoped to the specific database, providing appropriate security boundaries.

Why Other Options Are Incorrect:

Stored Access Policy (Option A): This is an Azure Storage feature for managing SAS tokens at the storage account level, not a Synapse Analytics authentication mechanism for querying storage.
Server-Level Credential (Option B): Server-level credentials exist in dedicated SQL pools but are not available or appropriate for serverless SQL pools in Synapse Analytics.
Managed Identity (Option C): While managed identities provide excellent authentication for many Azure services, they are not used for SAS token-based authentication scenarios and would require different configuration approaches.

Best Practice Consideration:

Using database-scoped credentials with SAS tokens provides a secure and flexible method for ad-hoc queries while maintaining the principle of least privilege, as the SAS token can be configured with specific permissions and expiration times.

Explanation:

Explanation

Why Database-Scoped Credential (Option D) is Correct:

SAS Token Storage: Database-scoped credentials are specifically designed to store authentication information, including SAS tokens, at the database level within Synapse Analytics.
Ad-hoc Query Support: This credential type enables ad-hoc queries using functions like OPENROWSET without requiring the creation of external data sources or external tables.

Direct Access: With a database-scoped credential containing the SAS token, you can directly query storage using syntax like:

SELECT * FROM OPENROWSET(
    BULK 'https://storage1.blob.core.windows.net/container/file.csv',
    FORMAT = 'CSV',
    CREDENTIAL = 'my_scoped_credential'
) AS [result]

SELECT * FROM OPENROWSET(
    BULK 'https://storage1.blob.core.windows.net/container/file.csv',
    FORMAT = 'CSV',
    CREDENTIAL = 'my_scoped_credential'
) AS [result]

Security Scope: The credential is scoped to the specific database, providing appropriate security boundaries.

Why Other Options Are Incorrect:

Stored Access Policy (Option A): This is an Azure Storage feature for managing SAS tokens at the storage account level, not a Synapse Analytics authentication mechanism for querying storage.
Server-Level Credential (Option B): Server-level credentials exist in dedicated SQL pools but are not available or appropriate for serverless SQL pools in Synapse Analytics.
Managed Identity (Option C): While managed identities provide excellent authentication for many Azure services, they are not used for SAS token-based authentication scenarios and would require different configuration approaches.

Best Practice Consideration:

Comments (0)

No comments yet.

You have an Azure Blob storage account named `storage1` and an Azure Synapse Analytics serverless SQL pool named `Pool1`. You plan to execute ad-hoc queries from `Pool1` that target data in `storage1`. You need to enable the use of shared access signature (SAS) authorization without defining a data source. What should you create first?

Exam-Like

a stored access policy

a server-level credential

a managed identity

a database scoped credential