Add Support for role-based access control with Microsoft Entra ID to data plane operations #479
Assignees
Labels
enhancement
The issue is an enhancement request.
high priority
The issue or PR should be resolved first. It is of less priority than the label 'Blocking Release'.
in progress
The issue is being actively worked on by someone.
Comments
PlagueHO
added
enhancement
PlagueHO
added
in progress
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
It is possible to now use Entra ID OAuth2 tokens for data plane operations on Cosmos DB. This increases the security of solutions by removing the need to use either resource tokens or tokens using the master key. See https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#authenticate-requests-on-the-rest-api
Simple way of implementing this:
Implementing this would require some changes to the module. This simplest way:
Add support for setting an OAuth2 token (rather than a Resource token) when adding tokens to the context via New-CosmosDbContextToken - maybe a new parameter set required for the function to allow "Resource" or "EntraID".
Update Get-CosmosDbAuthorizationHeadersFromContext to return the EntraID token in appropriate headers as per Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn - if an EntraID token is available in the Context.
Automated testing will require the most work.
The text was updated successfully, but these errors were encountered: