Setting Up Granular Security for Cosmos DB SQL Containers
PythonSetting up granular security for Cosmos DB SQL Containers is essential for ensuring your database has specific permissions and roles configured to control access at a fine-grained level. In Pulumi, you can set up security for Azure Cosmos DB SQL containers by creating role definitions and role assignments, specifying the permissions necessary for the roles, and assigning those roles to principals (like users or managed identities) within Azure.
We will be utilizing two key Pulumi resources for this task:
-
SqlRoleDefinition: This resource creates a role definition with specific data actions that outline what a principal can do within your Cosmos DB account. -
SqlRoleAssignment: This resource assigns the defined role to a principal for a specific scope within your Cosmos DB account.
Here's a Python program using Pulumi to create a custom role definition and assign it to a principal for controlling access to an Azure Cosmos DB SQL container:
import pulumi import pulumi_azure_native as azure_native # Set your Cosmos DB account, database, and container names account_name = 'cosmos-db-account' database_name = 'database-name' container_name = 'container-name' resource_group_name = 'resource-group-name' principal_id = 'principal-guid' # Replace with the actual principal ID # Create a custom role definition for read-only access to a specific container read_only_role_definition = azure_native.documentdb.SqlResourceSqlRoleDefinition( 'read-only-role', account_name=account_name, resource_group_name=resource_group_name, role_definition_id='unique-guid', # Replace with a unique GUID resource={ 'permissions': [ # Add permissions as needed { 'data_actions': [ 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read', # More data actions can be added based on the access required ], }, ], 'assignable_scopes': [ f'/subscriptions/{pulumi.config.require("subscription_id")}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/accountName/{account_name}' ], 'type': 'Custom' } ) # Assign the read-only role to the principal for the specific container scope read_only_role_assignment = azure_native.documentdb.SqlResourceSqlRoleAssignment( 'read-only-role-assignment', account_name=account_name, resource_group_name=resource_group_name, role_assignment_id='unique-guid', # Replace with a unique GUID scope=f'/subscriptions/{pulumi.config.require("subscription_id")}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/accountName/{account_name}/sqlRoleDefinitions/{read_only_role_definition.role_definition_id}', # Use the role definition's resulting ID resource={ 'principal_id': principal_id, } ) pulumi.export('roleDefinitionId', read_only_role_definition.role_definition_id) pulumi.export('roleAssignmentId', read_only_role_assignment.role_assignment_id)Before executing this program, ensure you replace the placeholder values (
'cosmos-db-account','database-name','container-name','resource-group-name','principal-guid', and'unique-guid') with actual values that correspond to your Azure environment.In this program, we've created a custom role definition called
read-only-rolewhich grants read access to items within a given Cosmos DB container. This role is then assigned to a principal through theread-only-role-assignmentresource.Importantly, the scope of the role definition and the role assignment includes the subscription ID, resource group name, and Cosmos DB account name, which you need to set appropriately.
The
pulumi.exportstatements at the end of the script output the IDs for the role definition and the role assignment, which can be used for referencing these resources later.Please ensure you have the Azure Pulumi provider configured and authenticated to run this code. Once you run
pulumi upwith this program, Pulumi will provision the resources as described in the program.-