As part of this series for the holidays, we are going to be working with Azure Cosmos DB for NoSQL and accessing the database without requiring any passwords in our application.
Note: This series is a part of the Festive Tech Calendar, C# Advent Calendar, and .NET Advent Calendar. Be sure to check them out!
Azure Cosmos DB currently supports role-based access control (RBAC) for their NoSQL API. In this post, we will:
- Create a read-only role
- Create a read-write role
- Assign the read-write role to our Azure CLI user principal
The steps we take in this post are based on the official page – Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account. However, we aren’t going to get in depth on the theory of RBAC or getting into as much detail as the article.
Create custom roles
We will follow the steps outlined in Create custom role definitions and create custom roles for read-only and read-write access via JSON files.
In GitHub, I have two files for these roles. This is the content for the read-only role (holiday-creatures/cosmos-rbac-setup/cosmos-readonly-role.json):
{
"RoleName": "CosmosDBDataReader",
"Type": "CustomRole",
"AssignableScopes": ["/"],
"Permissions": [{
"DataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed"
]
}]
}
In this custom role named CosmosDBDataReader, it allows permissions for:
- Reading metadata
- Reading an individual item in a container
- Executing SQL queries in containers
- Reading from the change feed of a container
This is the content for the read-write role (holiday-creatures/cosmos-rbac-setup/cosmos-readwrite-role.json):
{
"RoleName": "CosmosDBDataContributor",
"Type": "CustomRole",
"AssignableScopes": ["/"],
"Permissions": [{
"DataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
]
}]
}
In this custom role named CosmosDBDataContributor, it allows permissions for:
- Reading metadata
- Do everything – including create, read, upsert, and delete – with items in containers
- Do everything with containers
To create these roles, we will use Azure CLI. Since I use my Azure CLI within a PowerShell prompt, my variables are PowerShell style. This is the command I used for the read-only role:
$resourceGroupName="YOUR_RESOURCE_GROUP_NAME"
$accountName="YOUR_COSMOS_DB_ACCOUNT_NAME"
az cosmosdb sql role definition create --account-name $accountName --resource-group $resourceGroupName --body @cosmos-readonly-role.json
After running this command, make note of the roleDefinitionId, which comes back in the name
field. You will need that value in order to assign the role to the managed identity that we create later. You can store that in a variable named $readOnlyRoleDefinitionId
.
$readOnlyRoleDefinitionId = "THE_VALUE_FROM_THE_NAME_FIELD_IN_RO_RESPONSE"
Then, create the read-write role with the following command:
az cosmosdb sql role definition create --account-name $accountName --resource-group $resourceGroupName --body @cosmos-readwrite-role.json
Again, make note of the name
field in the response. You will need that to give your Azure CLI principal read-write access. In this case, you could store the value in a variable named $readWriteRoleDefinitionId
.
$readWriteRoleDefinitionId = "THE_VALUE_FROM_THE_NAME_FIELD_IN_RW_RESPONSE"
Assign read-write to the Azure CLI principal
For this step, we are working through the document section labeled Create role assignments.
We already defined $resourceGroupName
, $accountName
, and $readWriteRoleDefinitionId
above. The last thing you need is the objectId
for your Azure CLI credential. Store the value for this in a variable named $principalId
. You can get this a couple ways:
- This can be found by searching in Azure AD.
- Another way is to run this command from Azure CLI:
$principalId = (az ad user show --id YOUR_EMAIL_ADDRESS --query id -o tsv)
Once you have the necessary values, assign the role with the following Azure CLI command:
az cosmosdb sql role assignment create --account-name $accountName --resource-group $resourceGroupName --scope "/" --principal-id $principalId --role-definition-id $readWriteRoleDefinitionId
At this point, you have a user that can read and write to your Azure Cosmos DB for NoSQL account.
Next step is to create a console app to write to the database.
[…] the previous post, you created custom read-only and read-write RBAC roles to work with Azure Cosmos DB for NoSQL. In […]
[…] Work with Custom Roles for RBAC with Azure Cosmos DB for NoSQL (Sarah Dutkiewicz) […]
[…] Work with Custom Roles for RBAC with Azure Cosmos DB for NoSQL […]
[…] managed identity object ID is gathered, you can assign it read-only access to Azure Cosmos DB using the custom role created earlier. Use the following […]