2

Given an Azure CosmosDB DB instance that is created from the Azure portal, it is possible to create multiple databases from a shell connection with the following commands:

use someNewDbName;
db.someNewCollectionName.insert({});

With other DB providers that expose MongoDB APIs, it is possible to configure user roles on either a database or colletion level (for users that exist on the same DB instance).

For example, with self-hosted MongoDB, the db.createUser() allows the roles parameter which accepts the db option. MongoDB Atlas allows similar operations to be performed through their UI.

Is it possible to do the same with CosmosDB? Within the Azure Portal, selecting the CosmosDB, and then Access control (IAM) and then Roles leads to a list of built in roles as well as a text that says it is possible to define your own roles but no indication as to how to do that.

Jacob Horbulyk
  • 2,366
  • 5
  • 22
  • 34

2 Answers2

0

I am able to create custom role with following method using Powershell This role was displayed in the list of available role under "Add Role assignment" Tab

These links might help you

https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Rahul Ruikar
  • 1,076
  • 6
  • 9
  • 1
    This doesn't really answer the part of the question about whether Azure roles can be configured at a per database/collection level in CosmosDB. – Jacob Horbulyk Feb 01 '19 at 09:33
0

I also tried to create users and roles for an Azure CosmosDB using the MongoDB interface and followed this documentation: https://learn.microsoft.com/en-GB/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key.

It seems however that this is simply not supported by the MongoDB interface. I followed the above documentation using the role-based access control approach and eventually run into the following issue when executing the below command:

az cosmosdb sql role definition create --account-name <some-account> --resource-group <some-resource-group> --body @role-definition.json

(BadRequest) The Database Account [<some-database>] has API type [MongoDB] which is invalid for processing SQL Role Definitions.

The above is also confirmed documentation on the (resource)token-based approach: https://learn.microsoft.com/en-us/rest/api/cosmos-db/permissions (see first line):

Azure Cosmos DB is a globally distributed multi-model database that supports the document, graph, and key-value data models. The content in this section is for managing permission resources using the SQL API via REST.

Hope that this helps.

Christophe
  • 113
  • 3
  • 14