more sql

src/pentesting-cloud/azure-security/az-services/az-sql.md

@@ -38,9 +38,37 @@ Note that if any SQL auth is allowed an admin user (username + password) needs t
 
 - It’s possible to assign system and user managed MIs.
 - Used to access the encryption key (is a CMEK is used) and other services from the databases.
+  - For some examples of the Azure services that can be accessed from the database check [this page of the docs](https://learn.microsoft.com/en-us/sql/t-sql/statements/create-external-data-source-transact-sql)
 - If more than one UMI is assigned, It’s possible to indicate the default one to use.
 - It’s possible to configure a federated client identity for cross-tenant access.
 
+Some commands to access info inside a blob storage from a SQL database:
+
+```sql
+-- Create a credential for the managed identity
+CREATE DATABASE SCOPED CREDENTIAL [ManagedIdentityCredential]
+WITH IDENTITY = 'Managed Identity';
+GO
+
+-- Create an external data source pointing to the blob storage to access
+CREATE EXTERNAL DATA SOURCE ManagedIdentity
+WITH (
+   TYPE = BLOB_STORAGE,
+   LOCATION = 'https://testsqlidentity.blob.core.windows.net/sqlcontainer',
+   CREDENTIAL = ManagedIdentityCredential
+);
+GO
+
+-- Read a file from ths storage and return it
+SELECT *
+FROM OPENROWSET(
+   BULK 'message.txt',
+   DATA_SOURCE = 'ManagedIdentity',
+   SINGLE_CLOB
+) AS DataFile;
+GO
+```
+
 **Microsoft Defender:**
 
 - Useful for “mitigating potential database vulnerabilities, and detecting anomalous activities”