Hi @Amit Kumar
If the IIB application is deployed on Azure VM, you can use managed identity to access the Cosmos DB using RBAC. This links details the RBAC roles for Cosmos DB that you can assign to managed identity https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac
Below link provides sample code on how to get a managed identity credential in different languages and initialise a cosmos client.
You can also use key based authentication but Azure AD auth with service principal/managed identity is recommended.
There are two ways you can authenticate from your application, authenticate with service principal or interactive user authentication. Since you mentioned you were using key based auth for dev, ideally you would go with service principal auth.
So steps for SP auth would be
Java Sample from above link
TokenCredential ServicePrincipal = new ClientSecretCredentialBuilder()
CosmosAsyncClient Client = new CosmosClientBuilder()
we are currently doing all app data work by firing Cosmos DB SQL RET APIs. creating a cosmos client will not help me with invoking those apis rit? with a cosmos client i will be able to write n run sql queries to do data operations.
I was going thru details provided in https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac
When constructing the REST API authorization header, set the type parameter to aad and the hash signature (sig) to the oauth token as shown in the following example:
from where would I get this oauth token to be passed in header? is it same as Token credential? or is it a service principal or does cloud security team has to do any setup in Azure AD to generate this oauth token? Also, is it a one time token or its dynamic?
Hi Amit Kumar,
The sample code provided earlier uses Cosmos DB SDK that hides complexity of calling Rest API directly.
If you want to directly use the APIs, then to obtain an oauth token from Azure AD using client credential flow, you need to invoke the token endpoint of Microsoft Identity as described here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
Once you obtain the access token, you can follow the Cosmos DB rest api link to pass the token as part of authorization header
Sign in to comment