Concepts
Azure Cosmos DB is a highly scalable and globally distributed NoSQL database service offered by Microsoft. It supports multiple data models, including key-value, documents, graph, and columnar. When using Azure Cosmos DB, it is essential to understand how to manage data plane access to ensure the security and integrity of your data. In this article, we will explore how to manage data plane access to Azure Cosmos DB by using keys.
1. Obtain the Key
To access Azure Cosmos DB using keys, you need to obtain either the Primary Key or the Secondary Key. These keys can be found in the Azure portal or retrieved programmatically using the Azure SDK or REST API.
2. Create an Instance of the CosmosClient Class
In your code, create an instance of the CosmosClient class from the Azure Cosmos DB SDK. The CosmosClient class requires the endpoint URI of your Azure Cosmos DB account and the access key.
Here is an example of creating a CosmosClient instance:
csharp
using Microsoft.Azure.Cosmos;
// …
string endpointUri = “your-endpoint-uri”;
string primaryKey = “your-primary-key”;
CosmosClient cosmosClient = new CosmosClient(endpointUri, primaryKey);
Make sure to replace your-endpoint-uri and your-primary-key with your actual endpoint URI and primary key.
3. Access the Database
Once you have created the CosmosClient instance, you can use it to access your Azure Cosmos DB account. You can create, read, update, and delete documents or perform queries on the database.
Here is an example of reading a document from a container:
csharp
string databaseName = “your-database-name”;
string containerName = “your-container-name”;
string documentId = “your-document-id”;
Database database = await cosmosClient.GetDatabase(databaseName);
Container container = database.GetContainer(containerName);
ItemResponse
MyDocument document = response.Resource;
Make sure to replace your-database-name, your-container-name, and your-document-id with the actual names in your Azure Cosmos DB account.
4. Control Access Using Keys
To control access to your Azure Cosmos DB account, you can generate and manage additional keys. This allows you to grant access with specific permissions to different applications or users. For example, you can create a key with read-only access for reporting purposes or a key with read-write access for application development.
To generate a new key, you can use the Azure portal or the Azure Cosmos DB SDK. The SDK provides methods like RegenerateKeyAsync and CreatePermissionAsync to manage keys and permissions programmatically.
Here is an example of generating a secondary key and creating a permission with read-only access:
csharp
string secondaryKey = await cosmosClient.GetDatabaseAccount().RegenerateKeyAsync(ResourceUriFactory.CreateDatabaseUri(databaseName), “Secondary”);
string permissionId = “permission1”;
PermissionProperties permissionProperties = new PermissionProperties(permissionId, PermissionMode.Read);
await container.CreatePermissionAsync(permissionProperties, new[] { “/myPartitionKey” });
This example regenerates the secondary key for the database account and creates a permission with read-only mode. It also specifies /myPartitionKey as the partition key for the permission.
By following these steps, you can manage data plane access to Azure Cosmos DB using keys. Remember to keep your keys secure and rotate them periodically for better security. Additionally, when assigning permissions, define the most restrictive access level required for each application or user to ensure data integrity.
Note: The code examples provided in this article are in C#, but similar functionality is available in other programming languages supported by Azure Cosmos DB SDKs.
Answer the Questions in Comment Section
When managing data plane access to Azure Cosmos DB, which type of key is recommended for server-to-server applications?
- a. Primary key
- b. Secondary key
- c. Master key
- d. Resource token
Correct Answer: c. Master key
True or False: A master key in Azure Cosmos DB allows full control over the entire account, including the ability to create, update, and delete databases and collections.
- True
- False
Correct Answer: True
Which of the following resources can be accessed using resource tokens in Azure Cosmos DB? (Select all that apply)
- a. Databases
- b. Collections
- c. Partitions
- d. Stored procedures
Correct Answer: a. Databases, b. Collections, c. Partitions, d. Stored procedures
True or False: Azure Cosmos DB resource tokens can only provide read access to the specified resources.
- True
- False
Correct Answer: False
When should you regenerate the primary access key in Azure Cosmos DB? (Select all that apply)
- a. When it has been compromised
- b. When you want to restrict access to specific resources
- c. When the key has expired
- d. When you want to increase the throughput of your account
Correct Answer: a. When it has been compromised, b. When you want to restrict access to specific resources
Which of the following authentication mechanisms are supported in Azure Cosmos DB? (Select all that apply)
- a. Master key
- b. Resource token
- c. Shared Access Signature (SAS) token
- d. Azure Active Directory (AAD) integration
Correct Answer: a. Master key, b. Resource token, c. Shared Access Signature (SAS) token, d. Azure Active Directory (AAD) integration
True or False: By default, all newly created Azure Cosmos DB accounts have a primary key and a secondary key.
- True
- False
Correct Answer: True
What is the recommended approach for managing access control in Azure Cosmos DB?
- a. Use a single master key for all applications
- b. Use a different key for each application
- c. Use Azure Active Directory (AAD) integration for authentication
- d. Use resource tokens exclusively for all access
Correct Answer: b. Use a different key for each application
True or False: When using resource tokens in Azure Cosmos DB, you can define and assign fine-grained permissions to individual resources.
- True
- False
Correct Answer: True
Which statement is true about shared keys in Azure Cosmos DB?
- a. Shared keys provide granular access control to individual documents.
- b. Shared keys are used for authentication with Azure Active Directory (AAD).
- c. Shared keys are recommended for client-to-server applications.
- d. Shared keys are no longer supported and have been replaced by resource tokens.
Correct Answer: c. Shared keys are recommended for client-to-server applications.
Great blog post on managing data plane access to Azure Cosmos DB using keys. Very insightful!
I’m preparing for the DP-420 exam. Does anyone have any additional resources about key management in Cosmos DB?
Interesting read! How often should we rotate keys for Azure Cosmos DB?
Can someone explain the difference between primary and secondary keys?
Thank you for the post. It’s very well written and easy to understand.
My understanding is that key management is crucial for securing Cosmos DB. Any tools to automate this?
Not a fan of the interface design demonstrated here. It could be more user-friendly.
How does one limit access to certain operations using keys in Cosmos DB?