Add permissions in Cosmos DB only for specific containers
I'm trying to configure access to a Cosmos DB database that contains multiple containers. In our scenario we want different teams of users to have read and write permissions within specific containers only, if they were to attempt any access to another container then they should be denied.
I've been reading about role based access within Cosmos and it sounds exactly like what we need. So i'm trying to create custom roles for this but I'm getting confused by the different permissions available.
I can't embed images but the link below is the permissions i've found for containers within DocumentDB.
Link to permissions:
There's permissions such as Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write but it sounds like these are for the actual maintenance of containers themselves rather than the data within them. The set below that in the image mention the throughput of the container so that doesn't seem right either.
Previous material i'd seen mentioned that these roles were only available to create from something like PowerShell, however when I saw these within the portal I assumed that may have been outdated, but is that still the case?
Essentially, the setup I want is:
- Role 1 given access to read and write items in container 1 only
- Role 2 given access to read and write items in container 2 only
Also, as another quick side question. Are permissions additive? So can I create this role just for this purpose of accessing that container and then add it onto another more generic role, or would I need to include basic permissions that you would find in something like the Cosmos DB Account Reader Role?
The permissions you have are for management operations on Cosmos DB resources. The permissions you are looking for are these which are documented at Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
First step is to create a role definition for each container. You can use the Built-in role definitions such as Cosmos DB Built-in Data Contributor, or if you want to limit to discreet actions, you can build a custom role definition using az cli, PowerShell or ARM/Bicep.
Once you have your role definitions, you can then Create role assignments for each container to any service principal within your AAD tenant.
Last step is to Initialize our SDK with Azure AD. This is available for our .NET, Java, Python and JS SDK's. You will need to ensure you are using the correct version of our SDK's so best to upgrade if using older versions. To authenticate via AAD you need to create a client secret credential. The token from which, is what is passed to the Cosmos client when creating a new instance.
Lastly, you will want to use a custom query string when you want to access your data via the Cosmos Data Explorer. You may also want to restrict access to your data to only via AAD. To do this you will need to deploy an ARM template to your account (be sure to do a GET first so you don't accidentally destroy your resources). Then add "disableLocalAuth": true to the properties of the databaseAccount resource.
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- "We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Migrating from validate-jwt to validate-azure-ad-token policy
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- How to Add JVM Arguments in Azure Application Service?
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Query all Azure WAF rules using Azure Resource Graph Explorer
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM