Deploying dacpac through sqlpackage.exe with NETWORK SERVICE user

Question

I have a database release pipeline in Azure DevOps Server which deploys our dacpac files through Powershell commands that run the sqlpackage.exe commands to publish the database. I am using the NETWORK SERVICE user to publish the databases to our DEV and QA environment as I wanted to avoid putting the username and password on the release pipeline. We will be deploying these dacpac files to Production soon and the production server is outside our network. Are there security concerns with using the network service user to deploy the dacpac files on a production environment? What alternatives are there besides putting the username and password in secret variables?

Answer 1

In the situation you describe, I can't think of anything to do other than add the username / password as secret variables in the pipeline (as you described).

An approach I've used to avoid the username and password thing is to have the Azure DevOps agent service run as a minimally-privileged Windows service account (rather than NEWTWORK SERVICE). You just have to add that Windows account as a login on the SQL Server instance, and grant it the appropriate permissions for creating and deploying databases with SSDT.

This lets you use Windows auth to connect and deploy to the remote server - but only if that server also "knows" the Windows user (which is probably not the case, as you mentioned the prod server is outside your network - which I assume means it's not on the same Active Directory domain).