You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-howto-managed-identities-cosmos-db.md
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,13 +25,19 @@ You can use a system-assigned managed identity or a user-assigned managed identi
25
25
26
26
* You can optionally [enforce role-based access as the only authentication method](/azure/cosmos-db/how-to-setup-rbac#disable-local-auth) for data connections by setting `disableLocalAuth` to `true` for your Azure Cosmos DB for NoSQL account.
27
27
28
-
## Limitations
28
+
## Supported approaches for managed identity authentication
29
29
30
30
Azure AI Search supports two mechanisms to connect using managed identity.
31
31
32
-
1. The _legacy_ approach requires configuring the managed identity to have reader permissions on the management plane of the target Azure Cosmos DB account. Azure AI Search utilizes that identity to fetch the account keys of Cosmos DB account in the background to access the data. This approach won't work if the Cosmos DB account has `"disableLocalAuth": true`. Indexers that connect to Azure Cosmos DB for Gremlin and MongoDB (currently in preview) __only__ support this approach. Indexers that connect to Azure Cosmos DB for NoSQL also support this approach, but it isn't recommended.
32
+
1. The _legacy_ approach requires configuring the managed identity to have reader permissions on the management plane of the target Azure Cosmos DB account. Azure AI Search utilizes that identity to fetch the account keys of Cosmos DB account in the background to access the data. This approach won't work if the Cosmos DB account has `"disableLocalAuth": true`.
33
+
34
+
1. The _modern_ approach requires configuring the managed identity appropriate roles on the management and data plane of the target Azure Cosmos DB account. Azure AI Search will then request an access token to access the data in the Cosmos DB account. This approach works even if the Cosmos DB account has `"disableLocalAuth": true`.
35
+
36
+
Indexers that connect to Azure Cosmos DB for NoSQL support both the _legacy_ and the _modern_ approach - the _modern_ approach is highly recommended.
37
+
38
+
## Limitations
33
39
34
-
1. The _recommended_ approach requires configuring the managed identity appropriate roles on the management and data plane of the target Azure Cosmos DB account. Azure AI Search will then request an access token to access the data in the Cosmos DB account. This approach works even if the Cosmos DB account has `"disableLocalAuth": true`. Indexers that connect to Azure Cosmos DB for NoSQL should be configured with this approach.
40
+
* Indexers that connect to Azure Cosmos DB for Gremlin and MongoDB (currently in preview) only support the _legacy_ approach.
35
41
36
42
## Connect to Azure Cosmos DB for NoSQL
37
43
@@ -95,7 +101,7 @@ The [REST API](/rest/api/searchservice/data-sources/create), Azure portal, and t
95
101
96
102
When you're connecting with a system-assigned managed identity, the only change to the data source definition is the format of the "credentials" property. Provide a database name and a ResourceId that has no account key or password. The ResourceId must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
97
103
98
-
Here's an example using the [Create Data Source](/rest/api/searchservice/data-sources/create) REST API that exercises the _recommended_ approach.
104
+
Here's an example using the [Create Data Source](/rest/api/searchservice/data-sources/create) REST API that exercises the _modern_ approach.
99
105
100
106
```http
101
107
POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
@@ -116,7 +122,7 @@ POST https://[service name].search.windows.net/datasources?api-version=2024-11-0
116
122
117
123
You need to add an "identity" property to the data source definition, where you specify the specific identity (out of several that can be assigned to the search service), that will be used to connect to the Azure Cosmos DB account.
118
124
119
-
Here's an example using user-assigned identity via the _recommended_ approach.
125
+
Here's an example using user-assigned identity via the _modern_ approach.
120
126
121
127
```http
122
128
POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
0 commit comments