Azure Cosmos DB User Assigned Identity is a feature that allows you to assign a managed identity to your Azure Cosmos DB account, enabling secure authentication and authorization.
This feature is available for Azure Cosmos DB accounts created after November 2019.
To use User Assigned Identity, you need to create a system-assigned identity or a user-assigned identity in Azure Active Directory (Azure AD).
A user-assigned identity is a unique identifier that can be assigned to a specific Azure Cosmos DB account.
Configuring User-Assigned Identity
You can specify a user-assigned managed identity in a data source connection string.
To set up a user-assigned managed identity, you need to follow two key steps. First, you must format the "credentials" property with the database name and a ResourceId that includes the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
The ResourceId is a crucial part of the process, and it must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
When creating the data source, you must add an "identity" property that contains the collection of user-assigned managed identities. Set it to type "userAssignedIdentities".
Only one user-assigned managed identity should be provided when creating the data source.
Understanding User-Assigned Identity
A user-assigned managed identity is a type of identity that can be assigned to a resource in Azure. You can create a data source connection to CosmosDB in the Azure portal, specifying either a system or user-assigned managed identity.
To use a user-assigned managed identity, you need to format the "credentials" property as the database name and a ResourceId that has no account key or password. The ResourceId must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
You should only provide one user-assigned managed identity when creating the data source, and set it to type "userAssignedIdentities". Connection information and permissions on the remote service are validated at run time during indexer execution.
Here's a summary of the required format for a user-assigned managed identity:
- Database name and ResourceId with no account key or password
- User-assigned managed identity of type "userAssignedIdentities"
Example and Solution
To set up an Azure Cosmos DB user-assigned identity, you'll need to create a system-assigned identity first. This identity will be used to authenticate the user-assigned identity.
You can create a system-assigned identity in the Azure portal by navigating to your Azure Cosmos DB account, clicking on "Access control (IAM)", and then clicking on "Add" to create a new identity.
The system-assigned identity will be used to authenticate the user-assigned identity, which can then be used to access Azure resources without needing to hardcode credentials.
You can then create a user-assigned identity by clicking on the "New identity" button in the Azure portal, selecting "User-assigned" as the identity type, and providing a name for the identity.
To use the user-assigned identity with Azure Cosmos DB, you'll need to assign the necessary permissions to the identity, such as the "Microsoft.DocumentDB/databaseAccounts/write" permission.
This permission will allow the user-assigned identity to write to the database account, and can be assigned by clicking on the "Add" button in the Azure portal and searching for the "Microsoft.DocumentDB/databaseAccounts/write" permission.
Sources
- https://learn.microsoft.com/en-us/azure/search/search-howto-managed-identities-cosmos-db
- https://learn.microsoft.com/en-us/answers/questions/739807/connect-azure-cosmosdb-using-managed-identities-fr
- https://learn.microsoft.com/en-us/azure/stream-analytics/cosmos-db-managed-identity
- https://www.npmjs.com/package/@azure/cosmos
- https://docs.datadoghq.com/integrations/azure_cosmosdb/
Featured Images: pexels.com