Key-Based Access Control – Nonrelational Databases in Azure

Key-Based Access Control

Azure Cosmos DB provides a primary and a secondary key for read-write access as well as a primary and a secondary key for read-only access. Keys provide access to all resources in an Azure Cosmos DB account. The purpose of having a primary and a secondary key is to allow users to regenerate one key without requiring any downtime.

While keys can be useful when providing access to different applications, they can be cumbersome to manage. Keys also expose more Azure Cosmos DB account objects than what most users need. In most cases, it is better practice to use an identity management model that grants fine-grained permissions to Azure Active Directory (AAD) or native Azure Cosmos DB identities for database authentication and authorization.

Role-Based Access Control (RBAC)

Azure enables organizations to centralize identity management with AAD and RBAC roles. As discussed in Chapter 2, RBAC roles are used to control access to different Azure services. RBAC roles can be assigned to AAD objects (known as identities) such as users, groups, service principals, and managed identities, giving them the ability to perform tasks that are allowed by those roles. There are several RBAC roles specific to Azure Cosmos DB that can be used to perform management and data manipulation operations.

First, let’s examine Azure Cosmos DB RBAC roles that control management plane operations. These roles allow AAD identities to manage create/replace/delete operations for Azure Cosmos DB account objects, database backups and restores, and performance monitoring. The following are the Azure Cosmos DB RBAC roles that support management operations:

  • The DocumentDB Account Contributor role can manage Azure Cosmos DB accounts.
  • The CosmosDB Account Reader role can read Azure Cosmos DB account data.
  • The Cosmos Backup Operator role can submit a restore request for a periodic-backup-enabled database or container. It can modify the backup interval and retention through the Azure Portal. This role cannot access any data or use Data Explorer.
  • The CosmosRestoreOperator role can perform a restore for an Azure Cosmos DB account using the continuous backup mode.
  • The Cosmos DB Operator role can provision Azure Cosmos DB accounts, databases, and containers. It cannot access any data or use Data Explorer.

More information about Azure Cosmos DB RBAC roles that support management activities can be found at https://docs.microsoft.com/en-us/azure/cosmos-db/role-based-access-control.

The next set of Azure Cosmos DB RBAC roles to bear in mind are those that support data plane operations. These allow AAD identities to create, read, update, and delete data from databases and containers. The following are the two built-in Azure Cosmos DB RBAC roles used to manage data plane operations:

  • The Cosmos DB Built-in Data Reader role can read account metadata, data from specific items (point-reads and queries) and a specific container’s change feed.
  • The Cosmos DB Built-in Data Contributor role can read account metadata and perform create, read, and delete operations on data in specific containers and items.

More information about Azure Cosmos DB RBAC roles that support management activities can be found at https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac.