Description

This PR introduces "SystemAssigned" identity support & "defaultIdentity" for Cosmos DB CMK related features.

1. SystemAssigned MSI:

• Enable during account creation
  az cosmosdb create --resource-group $rg --name $dbname ...(omitted) --assigned-identity

• Enable on existing account
  az cosmosdb identity assign --resource-group $rg --name $dbname

• Disable/Remove identity
  az cosmosdb identity remove --resource-group $rg --name $dbname

• Show identity
  az cosmosdb identity show --resource-group $rg --name $dbname

2. Default Identity
   User can set the "defaultIdentity" during db account provision or update.
   For example:
   az cosmosdb update --resource-group $rg --name $dbname ...(omitted) --default-identity SystemAssignedIdentity.

Today the allowed "defaultIdentity" can be "SystemAssignedIdentity" and "FirstPartyIdentity". We will support more in near future. If the user doesn't specify the --default-identity, then the default identity of the account will not be updated.

Notice in our internal RP code, the change of default identity will have some key vault access validation, which indicate if the request doesn't pass the validation then the request will be rejected as a Bad Request to the user, and the default identity will stay unchanged.

Testing Guide

We have live tests in test_cosmosdb_commands.py, the manual tests would be similar to that in the "test_cosmosdb_managed_service_identity".

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change.
[Component Name 2] az command b: Add some customer-facing feature.

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.