| title | description | author | ms.author | ms.service | ms.devlang | ms.topic | ms.date | ms.reviewer |
|---|---|---|---|---|---|---|---|---|
Use a managed identity to access Azure Key Vault from Azure Cosmos DB |
Use managed identity in Azure Cosmos DB to access Azure Key Vault. |
seesharprun |
sidandrews |
cosmos-db |
csharp |
how-to |
06/01/2022 |
thweiss |
[!INCLUDEappliesto-all-apis]
Azure Cosmos DB may need to read secret/key data from Azure Key Vault. For example, your Azure Cosmos DB may require a customer-managed key stored in Azure Key Vault. To do this, Azure Cosmos DB should be configured with a managed identity, and then an Azure Key Vault access policy should grant the managed identity access.
- An Azure account with an active subscription. Create an account for free.
- An existing Azure Cosmos DB SQL API account. Create an Azure Cosmos DB SQL API account
- An existing Azure Key Vault resource. Create a key vault using the Azure CLI
- To perform the steps in this article, install the Azure CLI and sign in to Azure.
-
In a terminal or command window, store the names of your Azure Key Vault resource, Azure Cosmos DB account and resource group as shell variables named
keyVaultName,cosmosName, andresourceGroupName.# Variable for function app name keyVaultName="msdocs-keyvault" # Variable for Cosmos DB account name cosmosName="msdocs-cosmos-app" # Variable for resource group name resourceGroupName="msdocs-cosmos-keyvault-identity"[!NOTE] These variables will be re-used in later steps. This example assumes your Azure Cosmos DB account name is
msdocs-cosmos-app, your key vault name ismsdocs-keyvaultand your resource group name ismsdocs-cosmos-keyvault-identity.
First, create a system-assigned managed identity for the existing Azure Cosmos DB account.
Important
This how-to guide assumes that you are using a system-assigned managed identity. Many of the steps are similar when using a user-assigned managed identity.
-
Run
az cosmosdb identity assignto create a new system-assigned managed identity.az cosmosdb identity assign \ --resource-group $resourceGroupName \ --name $cosmosName -
Retrieve the metadata of the system-assigned managed identity using
az cosmosdb identity show, filter to just return theprincipalIdproperty using the query parameter, and store the result in a shell variable namedprincipal.principal=$( az cosmosdb identity show \ --resource-group $resourceGroupName \ --name $cosmosName \ --query principalId \ --output tsv ) echo $principal[!NOTE] This variable will be re-used in a later step.
In this step, create an access policy in Azure Key Vault using the previously managed identity.
-
Use the
az keyvault set-policycommand to create an access policy in Azure Key Vault that gives the Azure Cosmos DB managed identity permission to access Key Vault. Specifically, the policy will use the key-permissions parameters to grant permissions toget,list, andimportkeys.az keyvault set-policy \ --name $keyVaultName \ --object-id $principal \ --key-permissions get list import
- To use customer-managed keys in Azure Key Vault with your Azure Cosmos account, see configure customer-managed keys
- To use Azure Key Vault to manage secrets, see secure credentials.