1. Controlling Access to Cosmos DB Resources with SQL Roles


    Access control for Azure Cosmos DB resources using SQL (Structured Query Language) roles involves defining roles with specific permissions and assigning these roles to users or other principals. Role-based access control (RBAC) is a method of regulating access to resources based on the roles of individual users within an organization.

    To manage access for Cosmos DB resources, Azure provides the SqlRoleDefinition and SqlRoleAssignment resources. A SqlRoleDefinition defines a set of permissions for a particular operation that can be performed on Cosmos DB resources. The SqlRoleAssignment is used to grant these permissions to a user, group, service principal, or managed identity by assigning them a role.

    Here is an example of how you might set up RBAC for Cosmos DB with Pulumi in Python:

    1. Define a SQL role that specifies the allowed actions.
    2. Assign that role to a principal (a user or an application) for a particular scope.

    Below is a complete Pulumi program that creates a Cosmos DB account, defines a SQL role with read and write permissions, and assigns that role to a principal.

    import pulumi import pulumi_azure_native as azure_native # Create a new resource group resource_group = azure_native.resources.ResourceGroup('resource_group') # Create an Azure Cosmos DB account cosmosdb_account = azure_native.documentdb.DatabaseAccount('cosmosdbAccount', resource_group_name=resource_group.name, location=resource_group.location, database_account_offer_type="Standard", consistency_policy={ "defaultConsistencyLevel": "Session", }, locations=[{ "locationName": resource_group.location, "failoverPriority": 0, }] ) # Define a new SQL Role with read and write permissions sql_role_definition = azure_native.documentdb.SqlRoleDefinition('readWriteSqlRole', account_name=cosmosdb_account.name, resource_group_name=resource_group.name, role_definition={ "Id": "unique-guid", # Replace with a unique GUID "RoleName": "ReadWriteRole", "Type": "CustomRole", "AssignableScopes": ["/"], # This defines the scope as the entire database account "Permissions": [ { "DataActions": [ "Microsoft.DocumentDB/databaseAccounts/readMetadata", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*", ] } ] } ) # Replace 'principal_id' with the actual principal's object ID that you want to assign this role to. # This can be a user, a group, an application service principal, or a managed identity. sql_role_assignment = azure_native.documentdb.SqlRoleAssignment('readWriteSqlRoleAssignment', account_name=cosmosdb_account.name, resource_group_name=resource_group.name, principal_id="principal_id", # Replace with the actual principal's object ID role_definition_id=sql_role_definition.id, scope="/", # This defines the scope as the entire database account ) # Export the Cosmos DB account endpoint pulumi.export('cosmosdb_endpoint', cosmosdb_account.document_endpoint)

    In the above program:

    • A resource group is created which will contain all the resources.
    • A Cosmos DB account is created within the resource group.
    • A SqlRoleDefinition is defined, where the role_definition parameter's Permissions property specifies the set of actions allowed by the role.
    • A SqlRoleAssignment is created to assign the role defined previously to a principal for the specified scope.
    • The Cosmos DB account endpoint is exported, which can be used to connect to the database account.

    Remember to replace "unique-guid" with a unique identifier for your role and to replace "principal_id" with the actual ID of the principal to whom you want to assign the role. Also, adjust the scope and AssignableScopes to target specific databases or containers as needed for your use case.

    For more information, you can refer to the following documentation: