Vault: MSSQL storage backend does not work with Azure SQL Server

https://github.com/hashicorp/vault/blob/df18871704fe869e9be45b542a6b1eb2fe46c293/physical/mssql/mssql.go#L108 also fails with Error initializing storage of type mssql: failed to create mssql database: Login error: mssql: Cannot open user default database. Using master database instead. when a user with access to just the "Vault" database is created. (That is not what this issue is about, that was worked around by just adding the user to the master database)

The problematic line seems to be this one. It seems like using the object_id method should work on both normal SQL Server and the Azure version.

I found a solution to this bug. I added two pieces to vault/physical/mssql/mssql.go file:

https://github.com/hbwheat/vault/blob/9d2dd6ed996ef092ff1f5eeb0674e600445c0194/physical/mssql/mssql.go#L97-L101

https://github.com/hbwheat/vault/blob/9d2dd6ed996ef092ff1f5eeb0674e600445c0194/physical/mssql/mssql.go#L116-L119

My config.hcl file now looks like:

storage "mssql" {
    server = "AzureSQL"
    username = "user"
    password = "password"
    database = "vaultdb"
    table = "vault"
    dbCreated = "1"
}

I'd love to do a pull request if this is a viable solution to get the backend working with Azure SQL.

I didn't want to potentially break any SQL commands by changing them, but rather just add the database to the connectionString if it was already created for the Azure SQL VM in question.

Also, verified that there is a new table "dbo.vault" under tables in this database when starting vault.

To add, the much easier solution with connecting to an Azure SQL is to add the database connection string the end of the server parameter. This doesn't require changing the underlying Go code at all.

1) Create a db in Azure SQL
2) Append "server" with a database string

ie:

server = "azuresqlservername.database.cloudapi.net;databasae=vaultdb"

@hbwheat Thanks for digging into this and finding a workaround! My preference would be to keep the configuration simple and update our code to handle both cases gracefully, if possible. I've not looked in the details of what that might be (maybe the object_id approach, or something else), and would welcome a PR. Do you have access to both a normal SQL server as well as Azure's version to try it out?

@kalafut
That’s certainly more preferable than a work around. I was able to replicate the error from queries in SQL Management Studio run on the master database.

Unfortunately I’m not much of a DB Admin, and I only have access to Azure AQL at the moment.

From what I can tell, it’s an inherit limitation in Azure SQL and the way it allows connections. The Go module connects to the master by default and Azure doesn’t like queries across databases if the database exists already.

So if the db doesn’t exist Vault will create a db with a bunch of default settings. If it does exist already it errors out with cross db query not allowed.