Azure Cosmos DB read data using role based access control

Asked 3/7, 2020 at 8:54 Answered 7/3 at 17:33

Solved azure azure-cosmosdb role-based-access-control

I have a CosmosDB in Azure, I want to give a user access to read the data inside various collections.

I tried giving them the 'Reader'-role, it let them se that there existed a CosmosDB, and they could see some meta data. But they were unable to access the data within

I assigned them the 'Cosmos DB Account Reader' and this had better results.

But it seems to me that the 'Reader' role should superseed the 'Cosmos DB Account Reader' role. Or am i on the wrong track here? I beleived that the 'Reader'-role gave *all read access.

EDIT:
There seems to be no issue using the built in 'Data Explorer' on portal.azure.com.

The real issue is on using cosmos.azure.com, and logging inn using ActiveDirectory, did not let the user see anything with the 'Cosmos DB Account Reader'-role. Might be it requires a user has write-access.

Messick answered 3/7, 2020 at 8:54 Comment(0)

In order to read the data from Cosmos DB accounts, a user should be in a role that allows fetching access keys. A Reader role does not have this capability. However Cosmos DB Account Reader role has the capability to fetch the read-only access keys using which a user in this role can read the data (but not make any changes to that data).

From this link, here's the definition of Cosmos DB Account Reader role:

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft.DocumentDB/databaseAccounts/readonlykeys/action action enables getting read-only access keys and thus read the data.

Tonsillotomy answered 3/7, 2020 at 9:34 Comment(3)

I just tried this, but it seems that the user still cannot read any data. – Messick 3/7, 2020 at 11:31

What's the error message you're getting? Can you edit your question and provide more details about what you did? – Tonsillotomy 3/7, 2020 at 11:34

Ill edit it now, turns out that the portal.azure.com Data Explorer worked, but the cosmos.azure.com did not work – Messick 3/7, 2020 at 12:10

You need to give specific role definitions for Azure Cosmos DB data access. These are distinct from Azure role-based access control role definitions.

Powershell code to assign these roles:

$resourceGroupName = "<myResourceGroup>"
$accountName = "<myCosmosAccount>"
$readOnlyRoleDefinitionId = "<roleDefinitionId>" # as fetched above
# For Service Principals make sure to use the Object ID as found in the Enterprise applications section of the Azure Active Directory portal blade.
$principalId = "<aadPrincipalId>"
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionId $readOnlyRoleDefinitionId `
    -Scope "/" `
    -PrincipalId $principalId

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions

Whispering answered 7/3 at 17:33 Comment(0)

Recommended topics

Hot tags