---
title: "ALTER DATABASE SCOPED CREDENTIAL (Transact-SQL)"
description: "ALTER DATABASE SCOPED CREDENTIAL changes the properties of a database scoped credential."
author: VanMSFT
ms.author: vanto
ms.date: 09/09/2022
ms.service: sql
ms.subservice: t-sql
ms.topic: reference
ms.custom:
  - ignite-2024
f1_keywords:
  - "ALTER DATABASE SCOPED CREDENTIAL"
  - "ALTER_DATABASE_SCOPED_CREDENTIAL_TSQL"
helpviewer_keywords:
  - "ALTER DATABASE SCOPED CREDENTIAL statement"
  - "credentials [SQL Server], ALTER DATABASE SCOPED CREDENTIAL statement"
dev_langs:
  - "TSQL"
monikerRange: "=azuresqldb-current || =azure-sqldw-latest || =fabric"
---
# ALTER DATABASE SCOPED CREDENTIAL (Transact-SQL)

[!INCLUDE [SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics PDW FabricSQLDB](../../includes/applies-to-version/sql-asdb-asdbmi-asa-pdw-fabricsqldb.md)]

  Changes the properties of a database scoped credential.

 :::image type="icon" source="../../includes/media/topic-link-icon.svg" border="false"::: [Transact-SQL syntax conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)

## Syntax

```syntaxsql
ALTER DATABASE SCOPED CREDENTIAL credential_name WITH IDENTITY = 'identity_name'
    [ , SECRET = 'secret' ]
```

## Arguments

#### *credential_name*

 Specifies the name of the database scoped credential that is being altered.

#### IDENTITY ='*identity_name*'

 Specifies the name of the account to be used when connecting outside the server. To import a file from Azure Blob storage, the identity name must be `SHARED ACCESS SIGNATURE`.  For more information about shared access signatures, see [Using Shared Access Signatures (SAS)](/azure/storage/storage-dotnet-shared-access-signature-part-1).

#### SECRET ='*secret*'

 Specifies the secret required for outgoing authentication. *secret* is required to import a file from Azure Blob storage. *secret* may be optional for other purposes.

> [!WARNING]  
>  The SAS key value might begin with a '?' (question mark). When you use the SAS key, you must remove the leading '?'. Otherwise your efforts might be blocked.

## Remarks

 When a database scoped credential is changed, the values of both *identity_name* and *secret* are reset. If the optional SECRET argument is not specified, the value of the stored secret will be set to NULL.

 The secret is encrypted by using the service master key. If the service master key is regenerated, the secret is reencrypted by using the new service master key.

 Information about database scoped credentials is visible in the [sys.database_scoped_credentials](../../relational-databases/system-catalog-views/sys-database-scoped-credentials-transact-sql.md) catalog view.

 When granting permissions for a shared access signatures (SAS) for use with a PolyBase external table, select both **Container** and **Object** as allowed resource types. If not granted, you may receive error 16535 or 16561 when attempting to access the external table.


## Permissions

 Requires `ALTER` permission on the credential.

## Examples

### A. Change the password of a database scoped credential

 The following example changes the secret stored in a database scoped credential called `Saddles`. The database scoped credential contains the Windows login `RettigB` and its password. The new password is added to the database scoped credential using the SECRET clause.

```sql
ALTER DATABASE SCOPED CREDENTIAL AppCred WITH IDENTITY = 'RettigB',
    SECRET = 'sdrlk8$40-dksli87nNN8';
GO
```

### B. Remove the password from a credential

 The following example removes the password from a database scoped credential named `Frames`. The database scoped credential contains Windows login `Aboulrus8` and a password. After the statement is executed, the database scoped credential will have a NULL password because the SECRET option is not specified.

```sql
ALTER DATABASE SCOPED CREDENTIAL Frames WITH IDENTITY = 'Aboulrus8';
GO
```

## Next steps

- [Credentials &#40;Database Engine&#41;](../../relational-databases/security/authentication-access/credentials-database-engine.md)
- [CREATE DATABASE SCOPED CREDENTIAL (Transact-SQL)](../../t-sql/statements/create-database-scoped-credential-transact-sql.md)
- [DROP DATABASE SCOPED CREDENTIAL (Transact-SQL)](../../t-sql/statements/drop-database-scoped-credential-transact-sql.md)
- [sys.database_scoped_credentials](../../relational-databases/system-catalog-views/sys-database-scoped-credentials-transact-sql.md)
- [CREATE CREDENTIAL (Transact-SQL)](../../t-sql/statements/create-credential-transact-sql.md)
- [sys.credentials (Transact-SQL)](../../relational-databases/system-catalog-views/sys-credentials-transact-sql.md)