title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.reviewer | ms.custom |
---|---|---|---|---|---|---|---|---|
Restrict user access to data operations only with Azure Cosmos DB |
Learn how to restrict access to data operations only with Azure Cosmos DB |
seesharprun |
cosmos-db |
how-to |
12/9/2019 |
sidandrews |
mjbrown |
devx-track-azurepowershell |
[!INCLUDEappliesto-all-apis]
In Azure Cosmos DB, there are two ways to authenticate your interactions with the database service:
- using your Azure Active Directory identity when interacting with the Azure portal,
- using Azure Cosmos DB keys or resource tokens when issuing calls from APIs and SDKs.
Each authentication method gives access to different sets of operations, with some overlap:
:::image type="content" source="./media/how-to-restrict-user-data/operations.png" alt-text="Split of operations per authentication type" border="false":::
In some scenarios, you may want to restrict some users of your organization to perform data operations (that is CRUD requests and queries) only. This is typically the case for developers who don't need to create or delete resources, or change the provisioned throughput of the containers they are working on.
You can restrict the access by applying the following steps:
- Creating a custom Azure Active Directory role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's granular actions.
- Disallowing the execution of non-data operations with keys. You can achieve this by restricting these operations to Azure Resource Manager calls only.
The next sections of this article show how to perform these steps.
Note
In order to execute the commands in the next sections, you need to install Azure PowerShell Module 3.0.0 or later, as well as the Azure Owner Role on the subscription that you are trying to modify.
In the PowerShell scripts in the next sections, substitute the following placeholders with values specific to your environment:
$MySubscriptionId
- The subscription ID that contains the Azure Cosmos account where you want to limit the permissions. For example:e5c8766a-eeb0-40e8-af56-0eb142ebf78e
.$MyResourceGroupName
- The resource group containing the Azure Cosmos account. For example:myresourcegroup
.$MyAzureCosmosDBAccountName
- The name of your Azure Cosmos account. For example:mycosmosdbsaccount
.$MyUserName
- The login (username@domain) of the user for whom you want to limit access. For example:cosmosdbuser@contoso.com
.
Azure PowerShell commands require you to login and select the subscription to execute the commands:
Login-AzAccount
Select-AzSubscription $MySubscriptionId
The following script creates an Azure Active Directory role assignment with "Key Only" access for Azure Cosmos accounts. The role is based on Azure custom roles and Granular actions for Azure Cosmos DB. These roles and actions are part of the Microsoft.DocumentDB
Azure Active Directory namespace.
-
First, create a JSON document named
AzureCosmosKeyOnlyAccess.json
with the following content:{ "Name": "Azure Cosmos DB Key Only Access Custom Role", "Id": "00000000-0000-0000-0000-0000000000", "IsCustom": true, "Description": "This role restricts the user to read the account keys only.", "Actions": [ "Microsoft.DocumentDB/databaseAccounts/listKeys/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/$MySubscriptionId" ] }
-
Run the following commands to create the Role assignment and assign it to the user:
New-AzRoleDefinition -InputFile "AzureCosmosKeyOnlyAccess.json" New-AzRoleAssignment -SignInName $MyUserName -RoleDefinitionName "Azure Cosmos DB Key Only Access Custom Role" -ResourceGroupName $MyResourceGroupName -ResourceName $MyAzureCosmosDBAccountName -ResourceType "Microsoft.DocumentDb/databaseAccounts"
The following commands remove the ability to use keys to:
- create, modify or delete resources
- update container settings (including indexing policies, throughput etc.).
$cdba = Get-AzResource -ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" -ResourceGroupName $MyResourceGroupName -ResourceName $MyAzureCosmosDBAccountName
$cdba.Properties.disableKeyBasedMetadataWriteAccess="True"
$cdba | Set-AzResource -Force
- Learn more about Cosmos DB's role-based access control
- Get an overview of secure access to data in Cosmos DB