Role-based access control with Azure AD now in preview
The public preview of role-based access control (RBAC) for the Azure Cosmos DB Core (SQL) API was announced today at Microsoft Ignite. With RBAC in Azure Cosmos DB, you can now:
- Authenticate your data requests with an Azure Active Directory (AD) identity.
- Authorize your data requests with a fine-grained, role-based permission model.
- Audit your diagnostic logs to retrieve the Azure AD identity used when accessing your data.
What is RBAC?
The concepts exposed by the Azure Cosmos DB RBAC should look very familiar to anyone who has used Azure RBAC before.
- Our new permission model exposes a set of actions that map to database operations (like writing a document or executing a query).
- You can create role definitions by assembling a list of actions that a role should allow.
- You associate your role definitions with Azure AD identities through role assignments. Roles can be assigned at the Azure Cosmos DB account, database or container levels.
The granularity of the permission model lets you control very precisely what a client is allowed to do. Some examples of custom role definitions:
- A read-only role that can only fetch documents by their ID, but not run queries or read from the change feed.
- A role that can only insert new documents to an Azure Cosmos DB container, but not read, replace or delete documents.
Find the complete list of available actions.
Managing your role
No more primary keys!
TokenCredentialinstance that will resolve to the desired identity:
Advanced auditing of data requests
- The Azure AD identity used to authenticate the request.
- The ID of the role assignment used to authorize the request.
AzureDiagnostics | where ResourceProvider == "MICROSOFT.DOCUMENTDB" and Category == "DataPlaneRequests" and ResourceId == "<yourAccountResourceId>" and OperationName == 'Query' | summarize by aadPrincipalId_g, aadAppliedRoleAssignmentId_g
You can start using role-based access control today to tighten the access control to your Azure Cosmos DB resources. Just head to the detailed documentation of the Azure Cosmos DB RBAC to get started!