As a fan of the Veeam Data Integration API, I have been spending time with a related but separate topic: Database Publish (referred to as Data Publishing in the Veeam documentation). The goal was to make backed-up databases available to another system for analysis, without permanently restoring them or affecting production.
What is Data Publishing?
Data Publishing is a feature in Veeam Backup & Replication that has been available for Microsoft SQL and Oracle for a while and was later extended to PostgreSQL and MongoDB. The mechanics are straightforward:
Veeam mounts the backup data read-only, attaches the database files to the target engine, and keeps a write cache for any changes made during the session. When the session ends, the write cache is discarded. The source backup is untouched. The result is a database accessible via standard database protocols. You can connect to it, run queries, inspect schema and data, and then walk away and grab a coffee. No permanent restore, no impact on production. Veeam handles the cleanup.
The Script
The script is a PowerShell sample script that automates the full DB Publish lifecycle for Microsoft SQL, PostgreSQL, and MongoDB. An optional query file makes it easy to run any set of queries against the published instance. The query file is a plain JSON document with one section per database engine. It ships with a set of sample queries:
- MSSQL: recently created principals, sysadmin role members, orphaned users
- PostgreSQL: privileged roles
- MongoDB: user and role listings, and database sizes
These are starting points. The file is easy to extend: Add a name, description, and query, and the script picks it up automatically.
Before any query runs, the script checks it against a keyword blocklist: DROP, DELETE, INSERT, UPDATE, CREATE, TRUNCATE, EXEC, ALTER, GRANT, REVOKE, SHUTDOWN, KILL, MERGE, and REPLACE. Since the published database is read-only at the disk level (any writes go to a temporary cache), the main reason for this filter is not data protection but to avoid generating large amounts of write cache data through bulk operations. Keep that in mind when writing custom queries.
Note: Once the publish session is active, Veeam does allow you to export the modified database, including any cached changes. This is not part of this script, but it is worth knowing the option exists.
Credentials
Passwords can be provided in three ways: directly in the script (not recommended), as command-line parameters, or stored in encrypted XML files. The encrypted files use Windows DPAPI, meaning they can only be decrypted by the same Windows user on the same machine. The XML approach is recommended as passwords never appear in the script code or command line history.
Summary
The script covers the mechanics of Data Publishing for three database engines and provides a possibility for running custom queries against the published instance. The query file keeps that logic separate from the script. It is a starting point and can be extended as needed. The script and sample query file are available on GitHub.
