Skip to content

Instantly share code, notes, and snippets.

@byte2pixel

byte2pixel/AzureCosmosRBAC.md

Last active June 28, 2024 04:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save byte2pixel/31c89d77e9c50fac096b85e2888dfcd6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save byte2pixel/31c89d77e9c50fac096b85e2888dfcd6 to your computer and use it in GitHub Desktop.
Download ZIP
Adding RBAC to Azure Cosmos DB for EF Core
Raw
AzureCosmosRBAC.md

Prerequisits

  • AZ CLI
  • Azure Cosmos DB Name $accountName
  • Azure Cosmos DB Resource Group $resourceGroupName
  • Principal Id (account id that needs access) $principalId
    • obtained via az cli
  • Custom role definition id $roleDefinitionId
    • Obtained via az cli after creating the custom role

These instructions are tailored for using PowerShell but you can adjust them to work with whatever you prefer I am sure. The purpose is to grant read/write access to an account to the Azure Cosmos DB. This was done so I could read/write data using the EF Core Cosmos Provider. Without this RBAC the InteractiveBrowserCredential would not work and my owner account would still receive 403: Forbidden errors.

Adding Read/Write RBAC

Create a file called readWriteRole.json and put the follwing json into it, feel free to customize the RoleName. I will be honest I didn't mess with the scopes part and no idea where that comes into play and when you would want to modify that. I used this for just adding RBAC for my owner account to my Azure Cosmos DB.

Anyway the JSON...

{
    "RoleName": "CustomReadWriteRole",
    "Type": "CustomRole",
    "AssignableScopes": [
        "/"
    ],
    "Permissions": [
        {
            "DataActions": [
                "Microsoft.DocumentDB/databaseAccounts/readMetadata",
                "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
                "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
            ]
        }
    ]
}

PowerShell Time

Open Powershell preferrably so the path to the json file above is in the current working directory. If not cd into that directory to make things easier.

First assign some variables.

$accountName="foo-database"
$resourceGroupName="bar-resource-group"

Now login to the az cli

az login

This will open a browser and you can login to the cli. Follow the prompts and consult the online documentation for help loging in.

Now enter this command to create the custom role so it can then be assigned to accounts.

az cosmosdb sql role definition create -a $accountName -g $resourceGroupName -b readWriteRole.json

After executing this command you will need to copy the name or at the end of the id which should be a guid from the output that Azure CLI spits out. Example:

{
  "assignableScopes": [
    "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>"
  ],
  "id": "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>/sqlRoleDefinitions/<**new custom role guid here!!!**",
  "name": "**new custom role guid here!!!",
  "permissions": [
    {
      "dataActions": [
        "Microsoft.DocumentDB/databaseAccounts/readMetadata",
        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
      ],
      "notDataActions": []
    }
  ],
  "resourceGroup": "<redacted>",
  "roleName": "CustomReadWriteRole",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
  "typePropertiesType": "CustomRole"
}

Get the signed in user's id to use for $principalId or use any other user's id that needs the role.

az ad signed-in-user show

It will print out info and the id: will be used for the variable $principalId

Assign two more variables

$roleDefinitionId="new-custom-role-guid"
$principalId="the-guid-of-account"

Run this command to add the custom role to the account!

az cosmosdb sql role assignment create -a $accountName -g $resourceGroupName -s "/" -p $principalId -d $roleDefinitionId

This should run and spit out some more json that shows what was added:

{
  "id": "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>/sqlRoleAssignments/<redacted>",
  "name": "<redacted>",
  "principalId": "<redacted>",
  "resourceGroup": "<redacted>",
  "roleDefinitionId": "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>/sqlRoleDefinitions/<redacted>",
  "scope": "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments"
}

Now the EF Core Cosmos Provider should work with this account's credentials.

Note

Credit to someone else for the readWriteRole.json I found it at some point and put it in my notes on my computer but didn't document where I found it. So thank you whoever you are!

Edit: I found the source: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment