I have been given contributor role for cosmos db, eaelier i was connecting via Keys. now need to switch to rbac. i need to call the cosmos rest apis for doing data changes via rbac, what are the steps to do it? Do i need to generate a AAD token? what detail si need from Azure side in my IIB application. Application itself is deployed in Azure.

Hi @Amit Kumar If the IIB application is deployed on Azure VM, you can use managed identity to access the Cosmos DB using RBAC. This links details the RBAC roles for Cosmos DB that you can assign to managed identity https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac Below link provides sample code on how to get a managed identity credential in different languages and initialise a cosmos client. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos?tabs=azure-portal#access-data You can also use key based authentication but Azure AD auth with service principal/managed identity is recommended.

How to connect to cosmos DB using sql rest apis via rbac assigned role. what are the steps. i need to connect from IBM IIB layer

Accepted answer

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-08-29T17:09:24.82+00:00

Hi @Amit Kumar
If the IIB application is deployed on Azure VM, you can use managed identity to access the Cosmos DB using RBAC. This links details the RBAC roles for Cosmos DB that you can assign to managed identity https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

Below link provides sample code on how to get a managed identity credential in different languages and initialise a cosmos client.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos?tabs=azure-portal#access-data

You can also use key based authentication but Azure AD auth with service principal/managed identity is recommended.
Please sign in to rate this answer.
Amit Kumar 61 Reputation points

2022-08-29T17:17:00.513+00:00

IIB is on-premises. we have a handshake with cosmos using primary keys in non-prod tenant. we are now going for prod deploy and keys will be not provided for prod. Our cloud eng. team will be setting up a AZURE AD grp and will provide the grp the contributor access to cosmos db. we need to use this AD grp (once setup in azure), in our IIB java/.net layer to connect with Cosmos DB (keyless). I saw some Azure docs for RBAC way of connecting using cosmos SDK, but it doesn't say how we call the rest APIs. do we need to pass AAD token to call the cosmos SQL APIs? if yes, how to get that token, will it ptovided by cloud eng team ot we need to generate it by calling any token API?

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-08-30T15:54:16.393+00:00

There are two ways you can authenticate from your application, authenticate with service principal or interactive user authentication. Since you mentioned you were using key based auth for dev, ideally you would go with service principal auth.

So steps for SP auth would be

Create a service principal (SP) through application registration in Azure AD. Your Cloud engg. group can add this SP to the Azure AD group for which they have assigned CosmosDB roles.

Use the samples( Java/.Net SDK) provided in this link to obtain a tokencredential using SP clientID/secret and create a Cosmosclient object using which you can perform various oprations.
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#initialize-the-sdk-with-azure-ad

Java Sample from above link

TokenCredential ServicePrincipal = new ClientSecretCredentialBuilder()
.authorityHost("https://login.microsoftonline.com")
.tenantId("<azure-ad-tenant-id>")
.clientId("<client-application-id>")
.clientSecret("<client-application-secret>")
.build();
CosmosAsyncClient Client = new CosmosClientBuilder()
.endpoint("<account-endpoint>")
.credential(ServicePrincipal)
.build();

Amit Kumar 61 Reputation points

2022-08-30T21:25:52.037+00:00

we are currently doing all app data work by firing Cosmos DB SQL RET APIs. creating a cosmos client will not help me with invoking those apis rit? with a cosmos client i will be able to write n run sql queries to do data operations.
I was going thru details provided in https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

Authenticate requests on the REST API

When constructing the REST API authorization header, set the type parameter to aad and the hash signature (sig) to the oauth token as shown in the following example:

type=aad&ver=1.0&sig=<token-from-oauth>

from where would I get this oauth token to be passed in header? is it same as Token credential? or is it a service principal or does cloud security team has to do any setup in Azure AD to generate this oauth token? Also, is it a one time token or its dynamic?

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-09-01T18:10:09.737+00:00

Hi Amit Kumar,

The sample code provided earlier uses Cosmos DB SDK that hides complexity of calling Rest API directly.
If you want to directly use the APIs, then to obtain an oauth token from Azure AD using client credential flow, you need to invoke the token endpoint of Microsoft Identity as described here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

Once you obtain the access token, you can follow the Cosmos DB rest api link to pass the token as part of authorization header
Sign in to comment

Share via

How to connect to cosmos DB using sql rest apis via rbac assigned role. what are the steps. i need to connect from IBM IIB layer

0 additional answers