Managing Permissions in Cosmos DB with Azure RBAC

Question

Pulumi · Accepted Answer

To manage permissions in Azure Cosmos DB using Role-Based Access Control (RBAC), you need to set up Azure AD identities (such as users, groups, or service principals) and assign them appropriate roles that grant permissions to perform various actions on Cosmos DB resources.

In Pulumi, you can manage Cosmos DB RBAC by creating Azure AD role assignments for the Cosmos DB account. You will need to use the `azure-native.authorization.RoleAssignment` resource, which assigns a role to a specific principal (user, group, service principal, or managed identity).

Below is a Pulumi program written in Python that demonstrates how to create a new Azure Cosmos DB account, database, container, and assigns an Azure RBAC role to a principal. This program uses `pulumi_azure_native` package, which is the direct mapping of Azure Resource Manager to Pulumi, offering complete access to the Azure API surface.

First, you will need to specify the role definition ID for the role you wish to assign and the principal ID of the user, group, or service principal to whom you wish to assign the role. Ensure you have these values before running the program.

```python
import pulumi
from pulumi_azure_native import documentdb as cosmos_db
from pulumi_azure_native import authorization as azure_auth
from pulumi_azure_native import resources

# Create a resource group for the Cosmos DB account
resource_group = resources.ResourceGroup('my-resource-group')

# Create a new Azure Cosmos DB account
cosmosdb_account = cosmos_db.DatabaseAccount('my-cosmosdb-account',
    resource_group_name=resource_group.name,
    database_account_offer_type=cosmos_db.DatabaseAccountOfferType.STANDARD,
    locations=[cosmos_db.LocationArgs(
        location_name='West US',
        failover_priority=0,
        is_zone_redundant=False,
    )])

# Create a new Azure Cosmos DB SQL database within the account
cosmosdb_sql_database = cosmos_db.SqlResourceSqlDatabase('my-sql-database',
    account_name=cosmosdb_account.name,
    resource_group_name=resource_group.name,
    resource=cosmos_db.SqlDatabaseResourceArgs(
        id='my-sql-database',
    ),
    options=cosmos_db.CreateUpdateOptionsArgs())

# Create a new Azure Cosmos DB SQL container within the SQL database
cosmosdb_sql_container = cosmos_db.SqlResourceSqlContainer('my-sql-container',
    account_name=cosmosdb_account.name,
    database_name=cosmosdb_sql_database.name,
    resource_group_name=resource_group.name,
    resource=cosmos_db.SqlContainerResourceArgs(
        id='my-sql-container',
        partition_key=cosmos_db.ContainerPartitionKeyArgs(
            paths=['/myPartitionKey'],
            kind='Hash',
        ),
    ),
    options=cosmos_db.CreateUpdateOptionsArgs())

# Example role assignment, using a built-in Reader role (replace role_definition_id and principal_id with actual values)
role_assignment = azure_auth.RoleAssignment('my-role-assignment',
    scope=cosmosdb_account.id, # Assigning at the account level
    role_assignment_name=pulumi.Output.uuid(), # Generates a unique UUID for role assignment name
    role_definition_id='/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}', # Replace with actual role definition ID
    principal_id='{principalId}') # Replace with actual principal ID

# Export the account's endpoint and primary key
primary_key = pulumi.Output.secret(cosmosdb_account.primary_master_key)

pulumi.export('account_endpoint', cosmosdb_account.document_endpoint)
pulumi.export('primary_master_key', primary_key)
```

In this program, we start by creating a new resource group, then a Cosmos DB account, SQL database, and SQL container. After that, we create a role assignment using the `azure_auth.RoleAssignment` resource, which binds a specific role to a principal (e.g., user or service principal) for a designated scope, which can be a subscription, resource group, or a specific resource. The scope in this example is the Cosmos DB account we created.

Replace the placeholders `{subscriptionId}`, `{roleDefinitionId}`, and `{principalId}` in the `role_definition_id` and `principal_id` properties with the actual subscription ID, role definition ID of the role you wish to assign, and the principal ID of the user/group/service principal respectively.

Please make sure you have the necessary permissions to assign roles and that the principal you're assigning the role to exists within Azure Active Directory.

You can also manage role definitions (custom roles) using Pulumi if the built-in roles do not fit your specific requirements, but that is a more advanced topic and beyond the scope of this introduction.

To run this Pulumi program, save it to a file (e.g., `cosmosdb_rbac.py`), ensure you have the `pulumi_azure_native` package installed, and use the Pulumi CLI to `up` the stack. The Pulumi CLI will prompt you for required configuration settings and authenticate against Azure to fulfill the resource deployments.