Cosmos DB Client Encryption Key Management in IaC

Divsalar, Ben 0 Reputation points
2024-11-14T15:34:30.5433333+00:00

We are working to implement client-side encryption in Cosmos DB through our infrastructure-as-code (IaC) setup with Pulumi. However, the current approach requires using the Cosmos DB SDK to manage encryption keys, which would necessitate assigning our GitHub Actions runner RBAC access to Cosmos DB. This requirement poses security concerns, as it involves exposing Cosmos DB access to the GitHub environment.

We are looking for an alternative way to manage Cosmos DB client encryption keys directly through the Azure API, allowing us to avoid SDK dependencies and maintain secure, automated provisioning in Pulumi. Could you advise on any options or enhancements for handling encryption key management via Azure API within IaC frameworks?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,691 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 13,371 Reputation points
    2024-11-14T19:47:35.69+00:00

    Hello Divsalar, Ben,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to have an advice on any options or enhancements for handling encryption key management via Azure API within IaC frameworks.

    To meet your goals of secure, automated client-side encryption key management in Cosmos DB, within IaC framework:

    1. Leverage Azure Key Vault with GitHub OIDC Integration.
      1. Setup Key Management in Azure Key Vault:
      2. Store and manage Cosmos DB client-side encryption keys in Key Vault.
      3. Use Azure Key Vault REST API to manage keys programmatically in Pulumi.
      4. Use GitHub OIDC for Secure Authentication:
      5. Configure GitHub Actions to authenticate directly with Azure using OIDC.
      6. Grant the GitHub Action runner access only to Key Vault (via Azure Role Assignments like Key Vault Secrets User).
      7. For more details and how to: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect and https://colinsalmcorner.com/actions-authenticate-to-azure-without-a-secret
    2. Use Pulumi to orchestrate the entire process, leveraging the Azure Key Vault and Cosmos DB REST APIs.
      1. Define Pulumi resources for Key Vault integration and ensure encryption keys are passed securely during Cosmos DB setup.
    3. Enforce Principle of Least Privilege.
      1. Restrict GitHub Action runner to access only Key Vault, without granting direct Cosmos DB access.
      2. For Cosmos DB encryption setup, rely on Pulumi to configure resources without persistent RBAC exposure to GitHub.
    4. Enforce a policy to ensure Cosmos DB instances are always configured with customer-managed keys from Key Vault, increasing security and compliance.

    I think this should be a best approach that balances security, automation, and flexibility without requiring excessive privileges for GitHub runners or introducing SDK dependencies.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.