Integrating Azure Active Directory with Cosmos DB MongoDB API
TypeScriptTo integrate Azure Active Directory (AAD) with Cosmos DB using the MongoDB API, you'll need to set up an Azure AD application and service principal that will be used for authentication. Then, you'll configure the Cosmos DB account to use the Azure AD identity for authentication.
In this guide, I'll walk you through the necessary steps using Pulumi, an Infrastructure as Code tool. We'll write a TypeScript program to define the necessary cloud resources.
Program Explanation
The program consists of several parts:
- Azure AD Application: Represents the identity of the application to be integrated with AAD.
- Service Principal: The instantiation of the application within a specific tenant. It grants the Azure AD application access to the specific tenant.
- Role Assignment: Assigns the application to a role with permissions to access specific resources, like Cosmos DB.
- Cosmos DB Account: Configures the MongoDB API database with Azure AD integration.
- Exported Output: For the Cosmos DB account endpoint, which you can use to connect to your database.
Prerequisites
- Azure subscription: Ensure that you have an Azure subscription where you can deploy resources.
- Pulumi: You have installed Pulumi on your local machine and have signed up for a Pulumi account.
- Azure CLI: Authenticate with Azure CLI using
az login
so Pulumi can deploy resources to your account.
Now, let's look at the Pulumi program in TypeScript:
import * as azuread from "@pulumi/azuread"; import * as cosmosdb from "@pulumi/azure-native/documentdb"; import * as pulumi from "@pulumi/pulumi"; // Create an Azure AD application for our Cosmos DB const app = new azuread.Application("cosmosApp", { displayName: "cosmosApp", }); // A service principal for the Azure AD application const sp = new azuread.ServicePrincipal("cosmosAppSp", { applicationId: app.applicationId, }); // TODO: Replace the following with appropriate Cosmos DB MongoDB API configuration // Cosmos DB account with MongoDB API configured to use Azure Active Directory const cosmosAccount = new cosmosdb.DatabaseAccount("cosmosAccount", { resourceGroupName: "YOUR_RESOURCE_GROUP_NAME", // replace with your resource group name // other required properties // ... databaseAccountOfferType: "Standard", // or other offer type as required locations: [ { locationName: "West US", // replace with your preferred location failoverPriority: 0, }, ], // Enable Azure AD authentication identity: { type: "SystemAssigned", }, apiProperties: { serverVersion: "4.0", // specify MongoDB server version }, }); // Output the endpoint of the Cosmos DB account export const endpoint = cosmosAccount.documentEndpoint; // Don't forget to assign the necessary role to the Service Principal for the database // Example placeholder for role definition and assignment // const roleDefinition = //...; // const roleAssignment = new azure.authorization.RoleAssignment("sp-cosmosdb-role-assignment", { // principalId: sp.id, // roleDefinitionId: roleDefinition.id, // scope: cosmosAccount.id, // });
In this program:
- We start by creating an Azure AD application and a service principal attached to it.
- Then, we create a Cosmos DB account configured to use the MongoDB API. We do this by setting
databaseAccountOfferType
,locations
andapiProperties
. - We enable Azure AD with the
identity
block, which is set toSystemAssigned
. - The sample output
endpoint
will contain the endpoint URL for the Cosmos DB account, which you can use in your applications.
Important Notes:
- Replace
"YOUR_RESOURCE_GROUP_NAME"
with your actual Azure resource group name and adjustlocations
, andfailoverPriority
as necessary. - The
serverVersion
should match the version required by your MongoDB application. - The commented-out section with
roleDefinition
androleAssignment
serves as a placeholder. You'll need to create a role definition for Cosmos DB and assign it to the service principal. This assignment grants the application the required permissions on the Cosmos DB account.
After the code, you run
pulumi up
to deploy your infrastructure.Remember to check the Azure documentation for the exact permissions required by Cosmos DB for your specific use case when creating the role definition.