Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
APPLIES TO:
NoSQL
MongoDB
Cassandra
Gremlin
Table
Azure Cosmos DB may need to read secret/key data from Azure Key Vault. For example, your Azure Cosmos DB may require a customer-managed key stored in Azure Key Vault. To do this, Azure Cosmos DB should be configured with a managed identity, and then an Azure Key Vault access policy should grant the managed identity access.
In a terminal or command window, store the names of your Azure Key Vault resource, Azure Cosmos DB account and resource group as shell variables named keyVaultName
, cosmosName
, and resourceGroupName
.
# Variable for function app name
keyVaultName="msdocs-keyvault"
# Variable for Azure Cosmos DB account name
cosmosName="msdocs-cosmos-app"
# Variable for resource group name
resourceGroupName="msdocs-cosmos-keyvault-identity"
Note
These variables will be re-used in later steps. This example assumes your Azure Cosmos DB account name is msdocs-cosmos-app
, your key vault name is msdocs-keyvault
and your resource group name is msdocs-cosmos-keyvault-identity
.
First, create a system-assigned managed identity for the existing Azure Cosmos DB account.
Important
This how-to guide assumes that you are using a system-assigned managed identity. Many of the steps are similar when using a user-assigned managed identity.
Run az cosmosdb identity assign
to create a new system-assigned managed identity.
az cosmosdb identity assign \
--resource-group $resourceGroupName \
--name $cosmosName
Retrieve the metadata of the system-assigned managed identity using az cosmosdb identity show
, filter to just return the principalId
property using the query parameter, and store the result in a shell variable named principal
.
principal=$(
az cosmosdb identity show \
--resource-group $resourceGroupName \
--name $cosmosName \
--query principalId \
--output tsv
)
echo $principal
Note
This variable will be re-used in a later step.
In this step, create an access policy in Azure Key Vault using the previously managed identity.
Use the az keyvault set-policy
command to create an access policy in Azure Key Vault that gives the Azure Cosmos DB managed identity permission to access Key Vault. Specifically, the policy will use the key-permissions parameters to grant permissions to get
, list
, and import
keys.
az keyvault set-policy \
--name $keyVaultName \
--object-id $principal \
--key-permissions get list import
Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Manage secrets in your server apps with Azure Key Vault - Training
Learn how to create an Azure Key Vault to store secret values and how to enable secure access to the vault.
Certification
Microsoft Certified: Azure Cosmos DB Developer Specialty - Certifications
Write efficient queries, create indexing policies, manage, and provision resources in the SQL API and SDK with Microsoft Azure Cosmos DB.