{"id":8793,"date":"2024-10-09T07:00:46","date_gmt":"2024-10-09T14:00:46","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=8793"},"modified":"2024-10-11T08:17:33","modified_gmt":"2024-10-11T15:17:33","slug":"introducing-rbac-authentication-and-more-for-the-azure-cosmos-db-integrated-cache","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/introducing-rbac-authentication-and-more-for-the-azure-cosmos-db-integrated-cache\/","title":{"rendered":"Introducing RBAC Authentication and more for the Azure Cosmos DB Integrated Cache"},"content":{"rendered":"

We\u2019re excited to announce new features for the Azure Cosmos DB integrated cache! The integrated cache is built into the dedicated gateway<\/a>, and now there\u2019s new ways to authenticate your requests. Security is top of mind for many organizations, and you can now use Role-Based Access Control (RBAC) with Microsoft Entra ID to authenticate to the dedicated gateway, eliminating the security risks and complications that come with key-based authentication. Additionally, there\u2019s a new request option that gives you fine grained control over which requests populate the integrated cache.<\/p>\n

\"Pixelated<\/a><\/p>\n

RBAC authentication with Microsoft Entra ID<\/h2>\n

One of the most exciting updates is support for RBAC authentication using Microsoft Entra ID. You no longer have to rely on your Azure Cosmos DB account’s primary key for authenticating to the dedicated gateway and integrated cache. Now, you can connect with Entra ID, which improves security and streamlines managing access permissions. Entra ID’s integration allows for more granular control over who can access your data, making it easier to adhere to your organization’s security policies.<\/p>\n

The dedicated gateway uses the same permissions, role definitions and role assignments as Azure Cosmos DB. If you already have RBAC configured for data plane operations in your Azure Cosmos DB account, you can also use it for authenticating to the dedicated gateway. The permission model is based on actions<\/a> that map to database operations (create item, read item etc.), and there are no actions or roles specific to operations that use the dedicated gateway or integrated cache.<\/p>\n

How to configure RBAC roles and assignments<\/h3>\n

Learn how to configure RBAC roles and assignments for the dedicated gateway. If you already have RBAC configured for data plane operations in your Azure Cosmos DB account, you can skip this section and move on to updating your application to use RBAC with the dedicated gateway.<\/p>\n

Role definitions contain a list of permissions for allowed user actions. For some cases, the built-in role definitions are sufficient, or you can create your own custom role definitions<\/a>. The two built-in role definitions<\/a> are Cosmos DB Built-in Data Reader and Cosmos DB Built-in Data Contributor.<\/p>\n

Once you have a role definition, assign it to a user. To assign role permissions, you\u2019ll need the ID of the role definition and the ID of the user account or service principal that will connect to the dedicated gateway. For this example, we\u2019ll use the Cosmos DB Built-in Data Contributor role and a user account.<\/p>\n

    \n
  1. Sign in to the Azure CLI and find or change your current subscription.<\/li>\n<\/ol>\n
    az login\r\naz account set --subscription \"<subscription ID or name>\"<\/code><\/pre>\n
      \n
    1. Retrieve the details of your account using the az ad user show <\/em>command.<\/em>\u00a0Copy the value of the id<\/em> property and save it for use in the next step.<\/li>\n<\/ol>\n
      az ad user show -\u2013id \u201c<Your email address>\u201d<\/code><\/pre>\n
        \n
      1. Assign the built-in Cosmos DB Built-in Data Contributor role to your user account using the az cosmosdb sql role assignment create<\/em> Each built-in role has its own ID, and you can find them in the built-in role definitions chart<\/a>.<\/li>\n<\/ol>\n
        az cosmosdb sql role assignment create \\\r\n    --account-name <Your Azure Cosmos DB account name> \\\r\n    --resource-group <Your resource group name> \\\r\n    --scope \"\/\" \\\r\n    --principal-id <Your user id from step 2>  \\\r\n    --role-definition-id \u201c00000000-0000-0000-0000-000000000002\u201d\r\n<\/code><\/pre>\n
        Update your application to use RBAC with the dedicated gateway<\/h3>\n
        Once you\u2019ve created your roles and role assignments, you can use DefaultAzureCredential()<\/em> from the Azure.Identity<\/em> package to authenticate your CosmosClient<\/em>. There are no other application changes required to use RBAC authentication with the dedicated gateway. This example uses the Azure Cosmos DB .NET SDK, however RBAC authentication is supported in all SDKs.<\/p>\n
          \n
        1. Install the Azure.Identity<\/em> package<\/li>\n<\/ol>\n
          dotnet add package Azure.Identity<\/code><\/pre>\n
            \n
          1. Add the following code at the top of your file where the CosmosClient<\/em> is created<\/li>\n<\/ol>\n
            using Azure.Identity;<\/code><\/pre>\n
              \n
            1. Modify the code to create your CosmosClient<\/em>. All dedicated gateway endpoints follow the same pattern <Your Azure Cosmos DB account name>.sqlx.cosmos.azure.com<\/em><\/li>\n<\/ol>\n
              CosmosClient client = new(\r\n    accountEndpoint: \u201chttps:\/\/<Your Azure Cosmos DB account name>.sqlx.cosmos.azure.com:443\/\u201d, \r\n    tokenCredential: new DefaultAzureCredential()\r\n);<\/code><\/pre>\n
              Fine-grained options for caching requests<\/h2>\n
              Azure Cosmos DB’s dedicated gateway now includes an option to bypass the integrated cache<\/a> per request. By selectively bypassing the cache, you can ensure that only the most critical and frequently accessed data occupies the limited cache space. This reduces the likelihood of important data being evicted, optimizing the performance for high-priority queries and items. Requests that bypass the cache are still routed through the dedicated gateway and are served from the backend, costing RUs.<\/p>\n
              Strategic cache management<\/h3>\n
              The ability to bypass the integrated cache empowers you to make strategic decisions about cache usage. All read and write requests from clients configured with the dedicated gateway endpoint populate the cache by default. By directing one-off requests not to use the cache, you free up space for data and queries that are more likely to be repeated. This helps maintain a high cache hit rate and increase RU savings potential. For example, if a query is frequently repeated, but users rarely request the second or third page of data, you can bypass the cache on these trips while keeping the first page in the cache.<\/p>\n
              How to bypass the integrated cache<\/h3>\n
              The bypass integrated cache request option is available in the Azure Cosmos DB .NET, Java and JavaScript SDKs. The following example shows how to bypass the integrated cache for a query using the .NET SDK.<\/p>\n
              FeedIterator<MyClass> myQuery = container.GetItemQueryIterator<MyClass>(new QueryDefinition(\"SELECT * FROM c\"), requestOptions: new QueryRequestOptions\r\n        {\r\n            DedicatedGatewayRequestOptions = new DedicatedGatewayRequestOptions \r\n            { \r\n                BypassIntegratedCache = true\r\n            }\r\n        }\r\n);\r\n<\/code><\/pre>\n
              Conclusion<\/h2>\n
              Azure Cosmos DB’s latest updates to the dedicated gateway and integrated cache offer enhanced flexibility and control, making it easier to manage authentication and optimize cache usage. Whether you are seeking to improve security with RBAC authentication via Microsoft Entra ID or aiming to fine-tune your cache strategy with selective bypass options, these features provide powerful tools to help you achieve your goals.<\/p>\n
              Learn more<\/h2>\n