Assigning Role-Based Access for Cosmos DB SQL API
PythonRole-Based Access Control (RBAC) in Azure Cosmos DB is used to assign fine-grained access permissions to users and applications separately from your data. RBAC allows you to manage who has access to your Cosmos DB resources and what they can do with those resources.
To implement RBAC for Cosmos DB's SQL API, you would typically define a
RoleDefinition
which specifies the permissions granted, and then assign users or other identities to roles usingRoleAssignment
.In this program, we'll start by creating a role definition that specifies a set of data actions that the role permit, such as reading or writing documents. Then we'll create a role assignment that assigns an Azure AD identity to that role definition.
Here is a Pulumi program in Python that demonstrates how to create a SQL role definition and role assignment for an Azure Cosmos DB account.
import pulumi import pulumi_azure_native as azure_native # Assume that the Cosmos DB account and resource group are already created. # Replace 'my_resource_group' and 'my_cosmosdb_account' with your actual resource group and Cosmos DB account names. resource_group_name = 'my_resource_group' cosmosdb_account_name = 'my_cosmosdb_account' # Create a SQL Role Definition that specifies the data actions permitted. sql_role_definition = azure_native.documentdb.SqlResourceSqlRoleDefinition("sqlRoleDefinition", account_name=cosmosdb_account_name, resource_group_name=resource_group_name, role_definition_create_update_parameters=azure_native.documentdb.SqlRoleDefinitionCreateUpdateParametersArgs( role_definition=azure_native.documentdb.SqlRoleDefinitionArgs( permissions=[ azure_native.documentdb.PermissionArgs( data_actions=[ "Microsoft.DocumentDB/databaseAccounts/readMetadata", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete", ], ), ], assignable_scopes=[ f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}", ], description="Role with read and write permissions on containers and items", role_name="ReadWriteContainersAndItems", ), )) # Replace with the object ID of the Azure AD identity you want to grant access to. object_id = "your-azure-ad-identity-object-id" # Create a SQL Role Assignment that assigns the Azure AD identity to the Role Definition. sql_role_assignment = azure_native.documentdb.SqlResourceSqlRoleAssignment("sqlRoleAssignment", account_name=cosmosdb_account_name, resource_group_name=resource_group_name, role_assignment_name=object_id, principal_id=object_id, scope=f"/subscriptions/{pulumi.config.require('azure:subscriptionId')}/resourceGroups/{resource_group_name}/providers/Microsoft.DocumentDB/databaseAccounts/{cosmosdb_account_name}", role_definition_id=sql_role_definition.id) # Export the role definition and assignment IDs pulumi.export('sqlRoleDefinitionId', sql_role_definition.id) pulumi.export('sqlRoleAssignmentId', sql_role_assignment.id)
In this program, you would need to replace
'my_resource_group'
,'my_cosmosdb_account'
, and'your-azure-ad-identity-object-id'
with your Azure resource group name, Cosmos DB account name, and the Azure AD identity object ID respectively.The
role_definition_create_update_parameters
argument receives permissions as a list ofdata_actions
which represent operations the role can perform.The
assignable_scopes
indicate where this role definition can be assigned. In this case, it is scoped to the Cosmos DB account.The
SqlResourceSqlRoleAssignment
resource ties an Azure AD identity (specified byprincipal_id
) to the role definition created earlier, effectively granting the permissions defined in the role to that identity.Remember to include the
role_definition_id
obtained from theSqlResourceSqlRoleDefinition
when creating the role assignment.Following this example, you can create various roles with different permissions and assign them to different identities to effectively manage access to your Cosmos DB resources using RBAC.
For more information about Azure Cosmos DB SQL API RBAC, visit the official documentation.