I want to allow some editors to add/modify/delete documents in a specific container in a Cosmos database.
It could be through the azure portal data explorer, or via https://cosmos.azure.com/
However, I cannot figure out a way to grant those permissions to a user, without making them a contributor on the entire cosmos account.
The data-plane permissions do not seem to take effect when accessing through the data explorer.
I also considered the access keys/connection strings, but again, those are not scoped to a single container.
Is there any way to set up permissions for a human user, to do simple data edits through one of the built in UI options?
It should work with data-plane RBAC and cosmos.azure.com portal, but you must enable RBAC support explicitly by using: https://cosmos.azure.com/?feature.enableAadDataPlane=true.
The data-plane RBAC docs (Use data explorer) are actually rather good about this, incl:
When you access the Azure Cosmos DB Explorer with the specific
?feature.enableAadDataPlane=truequery parameter and sign in, the following logic is used to access your data:
- A request to fetch the account's primary key is attempted on behalf of the identity signed in. If this request succeeds, the primary key is used to access the account's data.
- If the identity signed in isn't allowed to fetch the account's primary key, this identity is directly used to authenticate data access. In this mode, the identity must be assigned with proper role definitions to ensure data access.
Hopefully this will become the default at some point.