Passwordless connectivity to Cosmos DB

[XtratusCloud]

Is your feature request related to a problem? Please describe.
only an improvement, does not apply

Describe the solution you'd like
In our internal purpose of extending the usage of passwordless connections to databases, we have performed an implementation based on a User Managed Identity to connect to Cosmos DB, that we propose as an improvement of your solution.

For the implementation we have needed:

• Create a UMI resource.
• Assign to the UMI the role "Cosmos DB Built-in Data Contributor" at the Cosmos DB scope. This role assigment must be performed at data plane level with the 'az cosmosdb sql role assignment create' command (also allowed with terraform resource 'azurerm_cosmosdb_sql_role_assignment')
• In code, generate token using the DefaultAzureCredential method of azure.identity.aio package. You can see our implementation in out forked repo at the following commit
• If the application engine is executed using an Azure resource, like a azure function, the UMI must be assigned to this resource, to allow their usage to obtain tokens.

In our case the application runs on AKS, and we have also needed:

• Configure the federation of the UMI with the service account of the AKS cluster.
• Deploy a k8s Service Account in the ipam namespace, with the annotation with workload identity client-id
• Configure the aks deployment to use the service account, and add the workload identity labels

Describe alternatives you've considered

• A more generic implementation would probably allow to identify by an environment variable or similar the desired authentication method to be used (COSMOS_KEY or Azure Token).
• The database creation operation is not available using a token obtained with data plane permissions. In our case the database and collection are created when deploying the infrastructure, and therefore we use the "create_database_if_not_exists" and "create_database_if_not_exists" methods in our implementation.

Additional context
If you need more information about the implementation, examples or screenshots to include in the documentation, please contact us.

[DCMattyG]

Good morning @XtratusCloud, and thank you for the wonderfully detailed notes!

To be honest, we did look into using role-based auth to Cosmos DB a year or so ago, but at that time I don't believe this option was available. I think using this mechanism is the best way to move forward as utilizing the Cosmos Key has potential security risks, and it's actually recommended to disable the use of it in most cases.

Here's is what I'd propose:

• Moving forward, all net-new deployment will use SQL RBAC (as described above) to communicate with Cosmos DB in lieu of Cosmos Key
• We will add a migration guide in our documentation so users can manually switch away from Cosmos Key to the new SQL RBAC mechanism for existing deployments

Please let me know your thoughts, always appreciate your insight & contributions.

[DCMattyG]

Hi @XtratusCloud, I wanted to check-in with you on the above plan. Does what I described sound like an acceptable go-forward plan to implement this updated solution?

[XtratusCloud]

Hi @DCMattyG,
I think the actions you have described are correct.
In our case, in the deployment phase of the infrastructure we had to include the creation of a User Managed Identity, and its assignment / federation with the resource where the API of the ipam solution runs.

In our case the solution runs on AKS, and we had to add some additional configuration. If you need examples about this implementation I can provide them for you.

[DCMattyG]

Hi @XtratusCloud, this has been completed and merged in with #230.

Please let me know if you have any issues or questions, thanks!