Search code examples
azureazure-cosmosdbrole-based-access-control

Azure Cosmos DB read data using role based access control

I have a CosmosDB in Azure, I want to give a user access to read the data inside various collections.

I tried giving them the 'Reader'-role, it let them se that there existed a CosmosDB, and they could see some meta data. But they were unable to access the data within

I assigned them the 'Cosmos DB Account Reader' and this had better results.

But it seems to me that the 'Reader' role should superseed the 'Cosmos DB Account Reader' role. Or am i on the wrong track here? I beleived that the 'Reader'-role gave *all read access.

EDIT:
There seems to be no issue using the built in 'Data Explorer' on portal.azure.com.

The real issue is on using cosmos.azure.com, and logging inn using ActiveDirectory, did not let the user see anything with the 'Cosmos DB Account Reader'-role. Might be it requires a user has write-access.

Solution

  • In order to read the data from Cosmos DB accounts, a user should be in a role that allows fetching access keys. A Reader role does not have this capability. However Cosmos DB Account Reader role has the capability to fetch the read-only access keys using which a user in this role can read the data (but not make any changes to that data).

    From this link, here's the definition of Cosmos DB Account Reader role:

    {
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

    Microsoft.DocumentDB/databaseAccounts/readonlykeys/action action enables getting read-only access keys and thus read the data.