Share via

Can I require managed identites on a CosmosAccount via CLI/PowerShell/Portal

mikefinch87 115 Reputation points
2024-04-01T13:22:41.0266667+00:00

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth
Shows how to disable keys from an ARM template.

Can this be done for an existing cosmos not created with ARM. Either from CLI, Powershell, or Portal.

QA Assist answer appears to be how to make the Cosmos Account USE a managed identity, not how to require a managed identity to access the account.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,924 questions
0 comments
Accepted answer
  1. GeethaThatipatri-MSFT 29,557 Reputation points Microsoft Employee Moderator
    2024-04-02T13:53:03.7433333+00:00

    @******@gmail.com This is still not supported from CLI yet, you can check the below forum on SO, however I will confirm from the product team and get back on this.

    https://stackoverflow.com/questions/70849701/disable-local-authentication-methods-for-cosmos-db-database-accounts-using-azure/71918804#71918804

    Regards

    Geetha

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-04-01T13:22:41.0433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, you can require managed identities on a CosmosAccount via CLI, PowerShell, or the Portal. To do this, you need to enable a system-assigned managed identity on your account and then use it to grant access to your Azure Key Vault account. Here are the steps:

    1. If the system-assigned managed identity wasn't configured during account creation, enable a system-assigned managed identity on your account and copy the principalId that got assigned.
    2. Add the correspondent permissions to your Azure Key Vault account as described previously. Instead of using the Cosmos DB principal, use the principalId you copied at the previous step instead of Azure Cosmos DB's first-party identity.
    3. Update your Azure Cosmos DB account to specify that you want to use the system-assigned managed identity when accessing your encryption keys in Azure Key Vault.

    You can use the Azure CLI to assign a managed identity to an access policy. Here's an example command:

    # Variables for resource group and account names
resourceGroupName="<resource-group-name>"
accountName="<azure-cosmos-db-account-name>"
az cosmosdb update \
--resource-group $resourceGroupName \
--name $accountName \
--default-identity "SystemAssignedIdentity"

    You can also use Azure PowerShell to assign a managed identity to an access policy. Here's an example command:

    Update-AzCosmosDBAccount -ResourceGroupName [ResourceGroupName] -Name [CosmosDBAccountName] -DefaultIdentity "SystemAssignedIdentity"

    Alternatively, you can use the Azure portal to enable a managed identity and grant it access to your Azure Key Vault account. Once you have done this, you can use the managed identity to access your encryption keys in Azure Key Vault.

    References:

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.