0

My Azure Data Factory has private endpoint connection to CosmosDB and authenticates using System Assigned Managed Identity. The goal is to delete document from CosmosDB using https://learn.microsoft.com/en-us/rest/api/cosmos-db/delete-a-document called from web activity.

I created web activity in Data Factory and put the required headers following those documents https://learn.microsoft.com/en-us/rest/api/cosmos-db/common-cosmosdb-rest-request-headers https://learn.microsoft.com/en-us/rest/api/cosmos-db/access-control-on-cosmosdb-resources?redirectedfrom=MSDN

DELETE web activity: DELETE web activity

I am using Azure Cosmos DB RBAC so my authorization header looks like this: type=aad&ver=1.0&sig=token-from-oauth

To get a token I was following this post https://medium.com/analytics-vidhya/azure-data-factory-retrieve-token-from-azure-ad-using-oauth-2-0-9a3ed3f55013 but I don't know where can I get the client_secret. I found my ADF in AAD under enterprise application so I guess client_id is application Id but there is no client secret to be found there.

get token web activity: get token web activity

First obvious question is where can I find this client_secret? The second one is why is this token needed at all? Why can't it just use managed identity for authenticating the request?

ray
  • 11,310
  • 7
  • 18
  • 42
Berto
  • 5
  • 1

1 Answers1

0

Where can I find this client_secret?

Go to azure active directory -> Inside mange go to app registration(if you not created a app registration create it ) -> Go to registered app -> Certificate & Secretes.

enter image description here

Why is this token needed at all? why can't it just use managed identity for authenticating the request?

Managed identities are a way to simplify the authentication process for applications running in Azure, but they do not apply to all scenarios when calling external APIs that require authentication. In these cases, you need to obtain an access token from Azure AD using a client secret.

I reproduce same thing in my environment. Follow below approach.

enter image description here

URL:https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

Scope : https://cosmos.azure.com/.default

Body: grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=scope : https://cosmos.azure.com/.default

After execution of web1 activity you will get like this bearer token:

enter image description here

Inside Web2 activity provide valid URL as per below syntax:

https://{databaseaccount}.documents.azure.com/dbs/{db-id}/colls/{coll-id}/docs/{doc-id}

Add dynamic content at header part as shown in the image:

Authorization: Bearer @{activity('Web1').output.access_token}

enter image description here

B. B. Naga Sai Vamsi
  • 2,386
  • 2
  • 3
  • 11