Azure CosmosDB - MongoDB provides keys for Read-Write and Read Only at account level.
CosmosDB SDK and API are there through which users can be created and access can be define at database and document level.
• But What I need to do is to create a pair of username and password with restricted access to a MongoDB database similar to one provided by installable MongoDB.
• How a user can connect only CosmosDB MongoDB database using RoboMongo.
Highly appreciate any help.
Amit -
Today, Cosmos DB access are provided by using two keys, Master Key and Read Only key. However, if you want to restrict user access per collection, per document etc, you have to use Resource Tokens. You can read more about it here and please take a look at CH9 video to see the implementation details. Resource Token service can be implemented as an Azure Function. Here is code to get you started.
But if you are using RoboMongo you have to Use the keys as define in this document. At this time you cannot define different users and Keys for a Database.
Related
Is there any way to manage an Azure Cosmos DB collection with partition key that uses the Mongo API directly from c#?
Currently we use Terraform to provision the Cosmos DB account and the database and we use the MongoDB.Driver to administrate collections. To get the Collection (and create it if it does not exist), we use the following syntax:
public IMongoCollection<MyDocument> MyDocumentsCollection =>
Database.GetCollection<MyDocument>("MyDocuments", mongoCollectionSetting);
I do not see any option to set the partition key for the collection and I was expecting to accomplish this with the mongoCollectionSettings. What is the best option to get this working?
I have found the Microsoft.Azure.Cosmos SDK but this is only applicable for Cosmos DB's SQL API.
Also I don't want to start with the method RunCommand but I guess this is the only option...?! Is it?
I use java version 4 SDK for azure cosmos db. I want to create database inside azure cosmos db account with service principal, not with masterkey.
I assigned to service principal DocumentDB Account Contributor and Cosmos DB Operator built-in-role definitions, according to this documentation:
https://learn.microsoft.com/pl-pl/azure/role-based-access-control/built-in-roles#cosmos-db-operator
I was not able to create CosmosAsyncClient, until I added new custom role, which just contains reading metadata. Above mentioned built-in-role definitions do not contain it...
TokenCredential ServicePrincipal = new ClientSecretCredentialBuilder()
.authorityHost("https://login.microsoftonline.com")
.tenantId(tenant_here)
.clientId(clientid_here)
.clientSecret(secret_from_above_client)
.build();
client = new CosmosClientBuilder()
.endpoint(AccountSettings.HOST)
.credential(ServicePrincipal)
.buildAsyncClient();
After I added this role, client was created, but I am not able to create database instance and also container inside it as next step. In access control I can see that roles are assigned so service principal is correct here.
What is more, when firstly I create database and container with master key and then I want to read/write data using service principal, it works (obviously after adding custom role for writting also).
Then I do not know why DocumentDB Account Contributor and Cosmos DB Operator does not work for creation database.
Looks it is a bug in java SDK, the DocumentDB Account Contributor role is enough to create the database and container as it has the Microsoft.DocumentDb/databaseAccounts/* permission(* is a wildcard, it also includes the Microsoft.DocumentDB/databaseAccounts/readMetadata you mentioned).
When I test to use a service principal with this role to create the database with the powershell New-AzCosmosDBSqlDatabase, it works fine. When using the service principal to run this command, it essentially uses the Azure AD client credential flow to get the token, then uses the token to call the REST API - PUT https://management.azure.com/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.DocumentDB/databaseAccounts/xxxx/sqlDatabases/testdb1?api-version=2020-04-01 to create the database, the java SDK essentially also does the same thing, so it should also work.
I have a cosmosDB with mongo API, however there are many features not supported in this API so I want to switch to SQL API?
As things stand today it is not possible to switch you account from one type to another.
This is what you need to do if you need to switch to the SQL API:
Create a SQL API Cosmos DB Account
Download the Cosmos DBmigration tool
Migrate all the data from the MongoDB account to the SQL API account
Delete the MongoDB account
In Build session #BRK3060 Mark Russinovich demos some code that uses both the SQL and Graph APIs on the same database (starts at 45:27):
https://www.youtube.com/watch?v=S2zguwKvlQk
Does anyone have any insight into these read/write using multiple APIs on the same database?
I have a dynamodb table that is being accessed by an IAM user via the application; but the problem is any admin user logged-in to AWS Console can navigate to the dynamodb table and view the items in it. As per our security policy; this shouldn't be allowed.
Can anyone suggest if it's possible to block access to the dynamodb Items from the AWS GUI?
DynamoDB does not support resource based policies. So there are two work arounds.
Create an IAM policy that denies access to the DynamoDB table and apply this policy to all IAM users. You would also have to deny access disallowing certain IAM actions to prevent the admin users from removing the deny DynamoDB access policy. IAM permissions boundaries might be able to help you with this. Update your application to use an IAM role instead of an IAM user.
Use client side encryption on the DynamoDB data so the admins can only view the encrypted data in DynamoDB. You could use KMS for this but depending on how you manage the encryption, KMS costs could far exceed the DynamoDB costs.