CODEWITHSUNDEEP
azureazure-cosmosdbrole-based-access-control
Alexolo
Alexolo

Reputation: 318

Azure Cosmos DB read data using role based access control

I have a CosmosDB in Azure, I want to give a user access to read the data inside various collections.

I tried giving them the 'Reader'-role, it let them se that there existed a CosmosDB, and they could see some meta data. But they were unable to access the data within

I assigned them the 'Cosmos DB Account Reader' and this had better results.

But it seems to me that the 'Reader' role should superseed the 'Cosmos DB Account Reader' role. Or am i on the wrong track here? I beleived that the 'Reader'-role gave *all read access.

EDIT:
There seems to be no issue using the built in 'Data Explorer' on portal.azure.com.

The real issue is on using cosmos.azure.com, and logging inn using ActiveDirectory, did not let the user see anything with the 'Cosmos DB Account Reader'-role. Might be it requires a user has write-access.

Upvotes: 7

Views: 13099

Answers (2)

MoonHorse
MoonHorse

Reputation: 2479

You need to give specific role definitions for Azure Cosmos DB data access. These are distinct from Azure role-based access control role definitions. enter image description here

Powershell code to assign these roles:

$resourceGroupName = "<myResourceGroup>"
$accountName = "<myCosmosAccount>"
$readOnlyRoleDefinitionId = "<roleDefinitionId>" # as fetched above
# For Service Principals make sure to use the Object ID as found in the Enterprise applications section of the Azure Active Directory portal blade.
$principalId = "<aadPrincipalId>"
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionId $readOnlyRoleDefinitionId `
    -Scope "/" `
    -PrincipalId $principalId

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions

Upvotes: 0

Gaurav Mantri
Gaurav Mantri

Reputation: 136216

In order to read the data from Cosmos DB accounts, a user should be in a role that allows fetching access keys. A Reader role does not have this capability. However Cosmos DB Account Reader role has the capability to fetch the read-only access keys using which a user in this role can read the data (but not make any changes to that data).

From this link, here's the definition of Cosmos DB Account Reader role:

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft.DocumentDB/databaseAccounts/readonlykeys/action action enables getting read-only access keys and thus read the data.

Upvotes: 4

Related Questions