My Digital Garden

Add role-based access to CosmosDB

Add role-based access to CosmosDB

Context

An important security-hardening for Azure CosmosDB (and one that is highlighted by Defender for Cloud) is to enforce all access to be authenticated via Azure AD identity, and block access using connection string local accounts and keys.

Examples

Granting data contributor access to an individual Azure AD account

  1. Look up the object Id of the account in Azure AD
  2. in the azure portal access the CosmosDB instance and open a CLOUD SHELL
  3. set a variable to the objectId objectId='486dadbf-58e0-4c8e-8922-df63ee598066'
  4. az cosmosdb sql role assignment create --account-name ssatwebformstest --resource-group webforms-staging --scope "/" --principal-id $objectId --role-definition-id "00000000-0000-0000-0000-000000000002"

See also

Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account

CosmosDB Identity-based connections in Azure Functions

(source Configure an identity-based connection)

Cosmos DB does not use Azure RBAC for data operations. Instead, it uses a Cosmos DB built-in RBAC system which is built on similar concepts. You will need to create a role assignment that provides access to your database account at runtime. Azure RBAC Management roles like Owner are not sufficient. The following table shows built-in roles that are recommended when using the Azure Cosmos DB extension in normal operation. Your application may require additional permissions based on the code you write.

  1. These roles cannot be used in an Azure RBAC role assignment. See the Cosmos DB built-in RBAC system documentation for details on how to assign these roles.
  2. When using identity, Cosmos DB treats container creation as a management operation. It is not available as a data-plane operation for the trigger. You will need to ensure that you create the containers needed by the trigger (including the lease container) before setting up your function

|Binding type|Example built-in roles1|| |-----|-----| |Trigger2|CosmosDB Build In Data Contributor|| |Input binding|CosmosDB Build In Data Reader|| |Output binding|CosmosDB Build In Data Contributor||