Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Task] API to use Managed Identity to authenticate against Cosmos DB #345

Closed
Lybecker opened this issue Jun 22, 2021 · 2 comments · Fixed by #593 or #3806
Closed

[Task] API to use Managed Identity to authenticate against Cosmos DB #345

Lybecker opened this issue Jun 22, 2021 · 2 comments · Fixed by #593 or #3806
Assignees
Labels
api Composition Service API enhancement New feature or request
Milestone

Comments

@Lybecker
Copy link
Member

Lybecker commented Jun 22, 2021

**Is your feature request related to a problem?

Currently the API use an API key STATE_STORE_KEY to authenticate against Cosmos DB. The API uses Managed Identity to authenticate against Azure Service Bus.

**Describe the solution you'd like

Using the same simplified access pattern to authenticate from the API to Azure resource.

Note: looks like Cosmos data-plane doesn't really support managed identity (in Python at least) but there might be a way to do this:
https://github.com/MicrosoftDocs/azure-docs/issues/29762
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db

@Lybecker Lybecker added enhancement New feature or request api Composition Service API labels Jun 22, 2021
@marrobi marrobi added this to the Next milestone Jul 7, 2021
@marrobi marrobi modified the milestones: Next, Release 0.1 Aug 2, 2021
@tamirkamara tamirkamara changed the title API to use Managed Identity to authenticate against Cosmos DB [Story] API to use Managed Identity to authenticate against Cosmos DB Aug 8, 2021
@tamirkamara tamirkamara added the story Stories are the smallest unit of work to be done for a project. label Aug 8, 2021
@tamirkamara
Copy link
Collaborator

tamirkamara commented Aug 9, 2021

This is the best I came up with:

from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential
from azure.mgmt.cosmosdb import CosmosDBManagementClient

subscription_id = "..."
resource_group = "..."
account_name = "..."

credential = DefaultAzureCredential()
dbmgmt = CosmosDBManagementClient(credential, subscription_id, "https://management.azure.com")
keys = dbmgmt.database_accounts.list_keys(resource_group, account_name)

client = CosmosClient(url="...", credential=keys.primary_master_key)

@deniscep deniscep self-assigned this Aug 9, 2021
@deniscep deniscep changed the title [Story] API to use Managed Identity to authenticate against Cosmos DB [Task] API to use Managed Identity to authenticate against Cosmos DB Aug 11, 2021
@deniscep deniscep removed the story Stories are the smallest unit of work to be done for a project. label Aug 11, 2021
@marrobi
Copy link
Member

marrobi commented Dec 6, 2023

This is now possible in the SDK without using a master key, I will reopen and submit a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api Composition Service API enhancement New feature or request
Projects
None yet
5 participants