Data plane refers to the processes that manage communication between different parts of an Azure Cosmos DB system, such as data storage, processing, and recovery. To manage data plane accesses securely and efficiently, Azure Cosmos DB uses keys for controlling access and permissions.
Types of Azure Cosmos DB Keys
At a granular level, Azure Cosmos DB provides two types of keys: Primary Keys and Secondary Keys. Both types serve the same purpose of providing regulated access to resources for different operations but vary in their level of permission and lifespan.
Primary Keys
Primary Keys are automatically generated when you create an Azure Cosmos DB account. They have complete control over all resources and are meant to be long-lived. There is a primary key and a primary read-only key. The primary read-only key only gives read access to the data.
Secondary Keys
Secondary Keys are also automatically generated when a Azure Cosmos DB account is created. Similar to Primary keys, there are two secondary keys – secondary key and secondary read-only key. The only difference lies in their lifespan. Secondary keys can be regenerated without affecting the primary keys, making them perfect for scenarios when you want to rotate keys periodically for security reasons.
Here is a summary in a tabular form:
| Type of Key | Permission Level | Lifespan |
|---|---|---|
| Primary Key | Full access to all resources | Long-lived |
| Primary Read-only Key | Read access only | Long-lived |
| Secondary Key | Full access to all resources | Short-lived and can be regenerated |
| Secondary Read-only Key | Read access only | Short-lived and can be regenerated |
You might be wondering, how the keys are used to manage the data plane access? Below is the answer.
Using Keys for Data Plane Access
The Azure Cosmos DB API uses these keys in the form of connection strings to authenticate and authorize requests to your databases. When an application wants to access data, it presents one of these keys. Azure Cosmos DB checks the key for validity, determines if it has the necessary permissions, and grants access accordingly.
For example, if you have a client application that only needs to retrieve data from your database, you’d give it a primary read-only key. This way, even if this key were compromised, an attacker couldn’t make changes to your data; they could only read it.
Rotating Keys for Increased Security
Security is a primary concern when dealing with databases, especially in a public cloud context. To strengthen security, Azure Cosmos DB allows regeneration of primary and secondary keys. This is particularly useful in case a key is compromised or you want to practice key rotation for better security.
To rotate a key, you only need to navigate to the Keys blade in the Azure portal and click the ‘…’ button next to the key you want to regenerate. After confirming the operation, Azure will regenerate the key, and all old connection strings using that key will become invalid.
Please note, rotating a primary key should be done with caution as it can impact your application if it is not configured to handle a key rotation event.
Conclusion
Managing data plane access to Azure Cosmos DB by using keys is a powerful way to control access to your resources. It grants you granular control over what actions different applications can take on your databases. Whether preparing for your DP-420 exam or architecting a secure application, understanding Azure Cosmos DB keys and their roles is invaluable learning. Do revisit this concept and practice managing keys through Azure Portal or Azure CLI to get a strong hold on this topic.
Practice Test
True or False: Azure Cosmos DB provides two types of keys: primary keys and secondary keys.
- True
- False
Answer: True
Explanation: Azure Cosmos DB provides two types of keys – primary key and secondary key, both used for authentication and authorization.
Single Select: Which keys in Azure Cosmos DB are used for both read and write operations?
- a) Primary read-only keys
- b) Secondary write-only keys
- c) Primary read-write keys
- d) Secondary read-write keys
Answer: c) Primary read-write keys
Explanation: Primary read-write keys in Azure Cosmos DB allow both read and write operations.
Which of the following statements are true for Azure Cosmos DB? (Multiple Selection)
- a) Primary read-write keys can be regenerated without interrupting service
- b) Secondary read-write keys allow only read operations
- c) Primary read-only keys allow only read operations
- d) It is recommended to widely distribute primary read-write keys
Answer: a) Primary read-write keys can be regenerated without interrupting service, c) Primary read-only keys allow only read operations
Explanation: Regenerating primary read-write keys do not interrupt the service and primary read-only keys serve read operations only.
True or False: Azure Cosmos DB uses keys for replication and synchronization.
- True
- False
Answer: False
Explanation: Azure Cosmos DB uses keys for managing authentication and authorization. Replication and synchronization are managed separately.
Single Select: How many secondary read-write keys can be generated in Azure Cosmos DB?
- a) None
- b) One
- c) Two
- d) Four
Answer: c) Two
Explanation: Azure Cosmos DB allows two secondary read-write keys, primarily used for failover support.
True or False: Connection strings in Azure Cosmos DB contain primary keys.
- True
- False
Answer: True
Explanation: Connection strings in Azure Cosmos DB include primary keys, which are used when creating a client to connect to an Azure Cosmos DB account.
Single Select: What type of access does secondary read-only keys provide in Azure Cosmos DB?
- a) Read access only
- b) Write access only
- c) Read and write access
- d) No access
Answer: a) Read access only
Explanation: Secondary read-only keys in Azure Cosmos DB are used to provide read access exclusively.
True or False: Azure Cosmos DB doesn’t allow regenerating keys.
- True
- False
Answer: False
Explanation: Azure Cosmos DB allows you to regenerate both primary and secondary keys without interrupting the service.
Which of the following is not a feature of Azure Cosmos DB keys? (Multiple Selection)
- a) Data encryption
- b) Access control
- c) Authentication
- d) Authorization
Answer: a) Data encryption
Explanation: Azure Cosmos DB keys provide access control, authentication, and authorization. They do not provide data encryption; This functionality is handled separately.
True or False: Primary read-write keys in Azure Cosmos DB should be shared openly for ease of access.
- True
- False
Answer: False
Explanation: Sharing the primary read-write keys widely could give broad access and control over your Azure Cosmos DB data. Secure key management practices should always be followed.
Interview Questions
What are Azure Cosmos DB keys used for?
Azure Cosmos DB keys are used to provide access to data plane operations, such as reads, writes, and queries in Azure Cosmos DB.
How many types of keys are available in Azure Cosmos DB and what are they?
There are two types of keys available in Azure Cosmos DB – Master Keys and Resource Tokens.
What are Master keys in Azure Cosmos DB?
Master keys provide full read and write access to the data in your Azure Cosmos DB account. There are two types of master keys: primary and secondary, which are automatically created when you create an Azure Cosmos DB account.
What is the purpose of using Resource tokens in Azure Cosmos DB?
Resource tokens provide granular access to documents, collections, and other resources within a database. They’re used when you want to grant client applications direct access to Azure Cosmos DB resources.
Which key – Master key or Resource token, should be used when wanting to grant a third-party application a time-limited permission to specific resources in Azure Cosmos DB?
A resource token should be used when you want to grant a third-party application a time-limited permission to specific resources in Azure Cosmos DB.
How long are Azure Cosmos DB resource tokens valid?
Azure Cosmos DB resource tokens are valid for a maximum of 5 hours.
When should the primary master key be used in Azure Cosmos DB?
The primary master key should be used for all operations when you’re connecting to the Azure Cosmos DB account from a trusted back-end service.
Can Azure Cosmos DB keys be rolled over or regenerated?
Yes, Azure Cosmos DB keys can be rolled over or regenerated for security purposes without any downtime.
Are there any SDKs provided by Azure Cosmos DB to manage keys?
Yes, Azure Cosmos DB provides SDKs in multiple languages that integrate with Azure Cosmos DB and can manage keys.
Can resource tokens restrict access to a particular partition key range in Azure Cosmos DB?
Yes, resource tokens can restrict access to a particular partition key range in Azure Cosmos DB.
How does Azure Cosmos DB secure data plane operations?
Azure Cosmos DB secures data plane operations by validating all requests against keys before they reach the database operation layer.
What happens if a master key in Azure Cosmos DB is compromised?
If a master key is compromised, unauthorized users may gain full access to the Azure Cosmos DB account. It’s crucial to keep these keys secure and rotate them if a breach is suspected.
Where can you find the master keys in the Azure portal?
In the Azure portal, you can find the master keys for your Azure Cosmos DB account under the ‘Keys’ section of your Cosmos DB account blade.
Should you use master keys for direct client-side access in Cosmos DB?
No, you should not use master keys for direct client-side access as they provide unrestricted access to all resources. Instead, use the resource tokens for client-side access.
What happens if you regenerate a key in Azure Cosmos DB?
If you regenerate a key in Azure Cosmos DB, it will break the existing applications or services that uses that key. After regenerating a key, you need to update the key in all the places it is used.
extutorials.com