Restrict user access to data operations in Azure Cosmos DB#
Security · Cosmos DB · Rule · 2021_09
Use Azure AD identities for management place operations in Azure Cosmos DB.
Description#
Cosmos DB provides two authorization options for interacting with the database:
- Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations.
- Keys and resource tokens. Can be used to authorize resource management and data operations.
Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.
Recommendation#
Consider limiting key and resource tokens to data plane operations only. Use Azure AD identities for authorizing account and resource management operations.
Examples#
Configure with Azure template#
To deploy Cosmos DB accounts that pass this rule:
- Set the
Properties.disableKeyBasedMetadataWriteAccess
property totrue
.
For example:
Azure Template snippet
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2021-06-15",
"name": "[parameters('dbAccountName')]",
"location": "[parameters('location')]",
"properties": {
"consistencyPolicy": {
"defaultConsistencyLevel": "Session"
},
"databaseAccountOfferType": "Standard",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": false
}
],
"disableKeyBasedMetadataWriteAccess": true
}
}
Configure with Bicep#
To deploy Cosmos DB accounts that pass this rule:
- Set the
Properties.disableKeyBasedMetadataWriteAccess
property totrue
.
For example:
Azure Bicep snippet
resource dbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = {
name: dbAccountName
location: location
properties: {
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
databaseAccountOfferType: 'Standard'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: false
}
]
disableKeyBasedMetadataWriteAccess: true
}
}
Links#
- Use identity-based authentication
- Restrict user access to data operations in Azure Cosmos DB
- Secure access to data in Azure Cosmos DB
- How does Azure Cosmos DB secure my database?
- Access control in the Azure Cosmos DB SQL API
- Azure resource template
Last update:
2023-09-10