Access management is an integral part of managing any database. In the case of Azure Cosmos DB, Azure role-based access control (RBAC) offers granular access management that can help ensure only the right people have the right access, at the right time. In this post, we will explore how to manage control plane access to Azure Cosmos DB by using RBAC.
Azure Cosmos DB and RBAC
Azure Cosmos DB is a globally distributed, multi-model database service provided by Microsoft Azure. On the other hand, RBAC is a mechanism that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
RBAC is an integral part of Azure Cosmos DB’s security model. It plays a crucial role in implementing security policies by adhering to the principle of least privilege.
Understanding the Role Assignments
In RBAC, access to Azure Cosmos DB resources is assigned to users, groups, service principals, or managed identities by using roles. These roles are then assigned certain permissions. Azure roles provide a simpler approach to understanding the broad types of actions that a user or service can do within your resources.
Azure provides both built-in and custom roles. Built-in roles include a wide range of permissions for different services. If these don’t meet your specific needs, you can create custom roles.
Here are the main built-in roles for Azure Cosmos DB:
- Cosmos DB Operator: Full management of Azure Cosmos DB resources and data actions.
- Cosmos DB Contributor: Full management of Azure Cosmos DB resources, without data actions.
- Cosmos DB Account Reader Role: View and list Azure Cosmos DB resources.
Manage RBAC
Managing RBAC for Azure Cosmos DB involves creating or modifying custom roles, assigning roles, and implementing them on users, groups, or service principals.
Create or Modify Custom Roles
When creating custom roles, you need to identify which actions the role permits or denies. These actions are then associated with the Azure Cosmos DB control plane or data plane operations.
Here is an example of how to create a new custom role:
{
“Name”: “Custom Role”,
“Id”: null,
“IsCustom”: true,
“Description”: “Allows for reading and listing of Cosmos DB account details”,
“Actions”: [
“Microsoft.DocumentDB/databaseAccounts/read”,
“Microsoft.DocumentDB/databaseAccounts/listKeys/action”,
“Microsoft.DocumentDB/databaseAccounts/listReadOnlyKeys/action”,
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [
“/subscriptions/{subscriptionId1}”,
“/subscriptions/{subscriptionId2}”
]
}
In the example above, the custom role named “Custom Role” will have the permission to read and list the Cosmos DB account details for the subscription Ids outlined in the AssignableScopes.
Assign Roles
Role assignments are the association of role definitions with Azure Cosmos DB users, groups, service principals, and managed identities in specific scopes. Scopes are structures that define the level of access. These include management groups, subscriptions, resource groups, and resources.
Here is an example of how to assign a role using Azure CLI:
az role assignment create –assignee “
In the above script, a specified role is assigned to an assignee at the given scope, which is an Azure Cosmos DB account in a specified subscription and resource group.
Conclusion
RBAC provides an efficient mechanism to manage access to your Azure Cosmos DB resources. It allows you to control who has access to what, and to what extent, helping you implement your security policies and adhere to the principle of least privilege. By understanding how to create custom roles and assign roles, you can effectively manage control plane access to your Azure Cosmos DB.
Practice Test
True or False: Azure role-based access control (RBAC) provides security for Azure Cosmos DB by enforcing permissions on the control plane resources.
- True
- False
Answer: True
Explanation: Azure RBAC is used to grant permissions to users, groups, and applications at certain scopes for controlling access to Azure Cosmos DB.
Who can assign roles in Azure role-based access control (RBAC) for Azure Cosmos DB?
- A. AWS Administrator
- B. Azure User
- C. Azure Owner
- D. Azure Contributor
Answer: C. Azure Owner
Explanation: Azure Owner has permissions to manage everything, including access to resources in Azure RBAC.
Azure role-based access control (RBAC) can have how many built-in roles for Azure Cosmos DB?
- A. Three
- B. Four
- C. Five
- D. Six
Answer: A. Three
Explanation: Azure RBAC for Azure Cosmos DB has three built-in roles: Cosmos DB Account Reader Role, Cosmos DB Account Contributor Role, and Cosmos DB Operator Role.
True or False: Azure role-based access control (RBAC) cannot provide any role assignments on the Azure management plane for actions that are needed to manage Azure Cosmos DB resources.
- True
- False
Answer: False
Explanation: Azure RBAC can provide role assignments on the Azure management plane for actions to manage Azure Cosmos DB resources.
Which built-in role in Azure Cosmos DB RBAC would you use to provide the most limited read-only access to an Azure Cosmos DB account?
- A. Cosmos DB Operator Role
- B. Cosmos DB Account Reader Role
- C. Cosmos DB Account Contributor Role
- D. None of the above
Answer: B. Cosmos DB Account Reader Role
Explanation: The Cosmos DB Account Reader Role provides read-only access to an Azure Cosmos DB account.
True or False: You cannot add or remove users and groups to Azure roles in an Azure Cosmos DB account.
- True
- False
Answer: False
Explanation: You can add or remove users and groups to Azure roles in an Azure Cosmos DB account.
The Cosmos DB Account Contributor Role provides permissions to:
- A. Read metadata for any type of Azure resource
- B. Write metadata for Cosmos DB accounts
- C. Read metadata for Cosmos DB accounts
- D. All of the above
Answer: D. All of the above
Explanation: Cosmos DB Account Contributor Role provides permissions to read and write metadata for Cosmos DB accounts and read metadata for any type of Azure resource.
Which of the following actions can be done by the Cosmos DB Operator Role:
- A. Start/stop an ongoing backup
- B. Read/write permissions
- C. Create/update/delete Azure Cosmos DB accounts
- D. All of the above
Answer: D. All of the above
Explanation: The Cosmos DB Operator Role is a higher level of access and enables you to perform all these actions.
True or False: Azure role-based access control (RBAC) can limit access to just the Azure Cosmos DB resources that the user or group needs.
- True
- False
Answer: True
Explanation: Azure RBAC provides fine-grained access management for Azure Cosmos DB, enabling you to limit access to the specific resources a user or group needs.
Which of these features are provided by Azure RBAC? Select all that apply.
- A. Permission to access resources
- B. Group-based authorization
- C. Custom roles
- D. Azure Cost Management Data Access
Answer: A. Permission to access resources, B. Group-based authorization, C. Custom roles, D. Azure Cost Management Data Access
Explanation: Azure RBAC is a system that provides fine-grain control over Azure resources, group-based authorization, ability to create custom roles, and Azure Cost Management Data Access.
The Azure built-in roles for access control in Azure Cosmos DB work on which of the following levels?
- A. Subscription level
- B. Resource group level
- C. Resource level
- D. All of the above
Answer: D. All of the above
Explanation: The Azure built-in roles for access control can be assigned at the subscription level, resource group level, and individual resource level.
True or False: Azure Cosmos DB Account Reader Role provides user access to read and write access to data in Cosmos DB accounts.
- True
- False
Answer: False
Explanation: Azure Cosmos DB Account Reader Role provides read-only access to an Azure Cosmos DB account.
True or False: Azure Cosmos DB does not support granular permissions.
- True
- False
Answer: False
Explanation: Azure Cosmos DB does support granular permissions, they can be used to control data plane access.
You can create custom roles in Azure RBAC. True or False?
- True
- False
Answer: True
Explanation: If the built-in roles for Azure resources don’t meet the specific needs of your organization, you can create your own custom roles in Azure RBAC.
True or False: Azure AD Based Access Control for Azure Cosmos DB’s data plane is independent of Azure role-based access control (RBAC) for control plane access.
- True
- False
Answer: True
Explanation: Azure role-based access control (RBAC) is for controlling access to the Azure management plane, while Azure AD is for controlling access to the data plane. They are separate mechanisms.
Interview Questions
What is Azure role-based access control (RBAC)?
Azure role-based access control (RBAC) is used to manage access to Azure resources, including Azure Cosmos DB. It helps you manage who has access to Azure resources and what they can do with those resources.
How does RBAC work with Azure Cosmos DB?
RBAC provides fine-grained access management to Azure Cosmos DB data plane operations through the assignment of specific permission to Azure Active Directory (Azure AD) identities.
What are the two types of operations you can manage access to on Azure Cosmos DB?
There are two types of operations you can manage access to on Azure Cosmos DB: Management operations (control plane) and Data operations (data plane).
What key aspect of Azure AD do you need to integrate with, in order to use Role-based Access Control with Azure Cosmos DB?
In order to use RBAC with Azure Cosmos DB, you need to integrate with Azure AD authentication. This allows RBAC to apply granular permissions to user and group identities in your organization.
What are some of the built-in Azure roles that you can use to control access to Azure Cosmos DB?
There are several built-in Azure roles you can use to control access including “Azure Cosmos DB Account Reader Role”, “Azure Cosmos DB Account Contributor”, and “Azure Cosmos DB Data Reader”.
Can you create custom RBAC roles for Azure Cosmos DB?
Yes, you can create custom RBAC roles for more fine-grained control over access to Azure Cosmos DB operations.
How can you assign roles to control access to Azure Cosmos DB?
You can assign roles using the Azure portal, Azure CLI, Azure PowerShell, or the management REST APIs.
Does Azure Cosmos DB support Azure AD token-based access to the data plane?
Yes, Azure Cosmos DB does support Azure AD token-based access to the data plane.
Why might you implement RBAC for Azure Cosmos DB?
Implementing RBAC for Azure Cosmos DB provides granular control over who can perform operations on your database, as well as serving as an extra layer of security.
What happens if an Azure AD user doesn’t have the necessary role assigned for a specific action in Azure Cosmos DB?
If a user doesn’t have the necessary role assigned for a specific action on Azure Cosmos DB, they will not be allowed access to carry out that action.
How can you view effective permissions for a user or group in Azure Cosmos DB?
To see effective permissions for a user or group, you can use Azure portal’s “Check access” feature.
Is it possible to use both key-based and Azure AD-based authentication for Azure Cosmos DB?
Yes. Azure Cosmos DB supports both key-based and Azure AD token-based authorization to access the data plane, and you can use them simultaneously.
Can composite roles be created in Azure RBAC?
No, Azure RBAC does not currently support the creation of composite roles. However, users can be assigned multiple roles.
What is the purpose of Azure Cosmos DB Account Reader Role?
Azure Cosmos DB Account Reader Role allows to read the Cosmos DB account and its settings.
What permissions does the built-in role Azure Cosmos DB Data Reader offer?
The Azure Cosmos DB Data Reader built-in role allows to read (not write) all data within the containers.