1. Assigning Role-Based Access for Cosmos DB SQL API


    Role-Based Access Control (RBAC) in Azure Cosmos DB is used to assign fine-grained access permissions to users and applications separately from your data. RBAC allows you to manage who has access to your Cosmos DB resources and what they can do with those resources.

    To implement RBAC for Cosmos DB's SQL API, you would typically define a RoleDefinition which specifies the permissions granted, and then assign users or other identities to roles using RoleAssignment.

    In this program, we'll start by creating a role definition that specifies a set of data actions that the role permit, such as reading or writing documents. Then we'll create a role assignment that assigns an Azure AD identity to that role definition.

    Here is a Pulumi program in Python that demonstrates how to create a SQL role definition and role assignment for an Azure Cosmos DB account.

    import pulumi import pulumi_azure_native as azure_native # Assume that the Cosmos DB account and resource group are already created. # Replace 'my_resource_group' and 'my_cosmosdb_account' with your actual resource group and Cosmos DB account names. resource_group_name = 'my_resource_group' cosmosdb_account_name = 'my_cosmosdb_account' # Create a SQL Role Definition that specifies the data actions permitted. sql_role_definition = azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlRoleDefinition", account_name=cosmosdb_account_name, resource_group_name=resource_group_name, role_definition_create_update_parameters=azure_native.documentdb.SqlRoleDefinitionCreateUpdateParametersArgs( role_definition=azure_native.documentdb.SqlRoleDefinitionArgs( permissions=[ azure_native.documentdb.PermissionArgs( data_actions=[ "Microsoft.DocumentDB/databaseAccounts/readMetadata", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete", ], ), ], assignable_scopes=[ f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}", ], description="Role with read and write permissions on containers and items", role_name="ReadWriteContainersAndItems", ), )) # Replace with the object ID of the Azure AD identity you want to grant access to. object_id = "your-azure-ad-identity-object-id" # Create a SQL Role Assignment that assigns the Azure AD identity to the Role Definition. sql_role_assignment = azure_native.documentdb.SqlResourceSqlRoleAssignment("sqlRoleAssignment", account_name=cosmosdb_account_name, resource_group_name=resource_group_name, role_assignment_name=object_id, principal_id=object_id, scope=f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}", role_definition_id=sql_role_definition.id) # Export the role definition and assignment IDs pulumi.export('sqlRoleDefinitionId', sql_role_definition.id) pulumi.export('sqlRoleAssignmentId', sql_role_assignment.id)

    In this program, you would need to replace 'my_resource_group', 'my_cosmosdb_account', and 'your-azure-ad-identity-object-id' with your Azure resource group name, Cosmos DB account name, and the Azure AD identity object ID respectively.

    The role_definition_create_update_parameters argument receives permissions as a list of data_actions which represent operations the role can perform.

    The assignable_scopes indicate where this role definition can be assigned. In this case, it is scoped to the Cosmos DB account.

    The SqlResourceSqlRoleAssignment resource ties an Azure AD identity (specified by principal_id) to the role definition created earlier, effectively granting the permissions defined in the role to that identity.

    Remember to include the role_definition_id obtained from the SqlResourceSqlRoleDefinition when creating the role assignment.

    Following this example, you can create various roles with different permissions and assign them to different identities to effectively manage access to your Cosmos DB resources using RBAC.

    For more information about Azure Cosmos DB SQL API RBAC, visit the official documentation.