Assigning Role-Based Access for Cosmos DB SQL API

Question

Pulumi · Accepted Answer

Role-Based Access Control (RBAC) in Azure Cosmos DB is used to assign fine-grained access permissions to users and applications separately from your data. RBAC allows you to manage who has access to your Cosmos DB resources and what they can do with those resources.

To implement RBAC for Cosmos DB's SQL API, you would typically define a `RoleDefinition` which specifies the permissions granted, and then assign users or other identities to roles using `RoleAssignment`.

In this program, we'll start by creating a role definition that specifies a set of data actions that the role permit, such as reading or writing documents. Then we'll create a role assignment that assigns an Azure AD identity to that role definition.

Here is a Pulumi program in Python that demonstrates how to create a SQL role definition and role assignment for an Azure Cosmos DB account.

```python
import pulumi
import pulumi_azure_native as azure_native

# Assume that the Cosmos DB account and resource group are already created.
# Replace 'my_resource_group' and 'my_cosmosdb_account' with your actual resource group and Cosmos DB account names.
resource_group_name = 'my_resource_group'
cosmosdb_account_name = 'my_cosmosdb_account'

# Create a SQL Role Definition that specifies the data actions permitted.
sql_role_definition = azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlRoleDefinition",
    account_name=cosmosdb_account_name,
    resource_group_name=resource_group_name,
    role_definition_create_update_parameters=azure_native.documentdb.SqlRoleDefinitionCreateUpdateParametersArgs(
        role_definition=azure_native.documentdb.SqlRoleDefinitionArgs(
            permissions=[
                azure_native.documentdb.PermissionArgs(
                    data_actions=[
                        "Microsoft.DocumentDB/databaseAccounts/readMetadata",
                        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
                        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace",
                        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete",
                    ],
                ),
            ],
            assignable_scopes=[
                f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}",
            ],
            description="Role with read and write permissions on containers and items",
            role_name="ReadWriteContainersAndItems",
        ),
    ))

# Replace with the object ID of the Azure AD identity you want to grant access to.
object_id = "your-azure-ad-identity-object-id"

# Create a SQL Role Assignment that assigns the Azure AD identity to the Role Definition.
sql_role_assignment = azure_native.documentdb.SqlResourceSqlRoleAssignment("sqlRoleAssignment",
    account_name=cosmosdb_account_name,
    resource_group_name=resource_group_name,
    role_assignment_name=object_id,
    principal_id=object_id,
    scope=f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}",
    role_definition_id=sql_role_definition.id)

# Export the role definition and assignment IDs
pulumi.export('sqlRoleDefinitionId', sql_role_definition.id)
pulumi.export('sqlRoleAssignmentId', sql_role_assignment.id)
```

In this program, you would need to replace `'my_resource_group'`, `'my_cosmosdb_account'`, and `'your-azure-ad-identity-object-id'` with your Azure resource group name, Cosmos DB account name, and the Azure AD identity object ID respectively.

The `role_definition_create_update_parameters` argument receives permissions as a list of `data_actions` which represent operations the role can perform.

The `assignable_scopes` indicate where this role definition can be assigned. In this case, it is scoped to the Cosmos DB account.

The `SqlResourceSqlRoleAssignment` resource ties an Azure AD identity (specified by `principal_id`) to the role definition created earlier, effectively granting the permissions defined in the role to that identity.

Remember to include the `role_definition_id` obtained from the `SqlResourceSqlRoleDefinition` when creating the role assignment.

Following this example, you can create various roles with different permissions and assign them to different identities to effectively manage access to your Cosmos DB resources using RBAC.

For more information about Azure Cosmos DB SQL API RBAC, visit the [official documentation](https://www.pulumi.com/registry/packages/azure-native/api-docs/documentdb/sqlresourcesqlroledefinition/).