You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/managed-identity-based-authentication.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
---
2
2
title: How to use system assigned managed identities (MSI) to access to Azure Cosmos DB data.
3
3
description: Learn how to configure an Azure AD system-assigned managed identity to access keys from Azure Cosmos DB.
4
-
author: j-patrick
4
+
author: j-patrick'
5
5
ms.service: cosmos-db
6
6
ms.topic: conceptual
7
7
ms.date: 03/20/2020
8
-
ms.author: justipat
8
+
ms.author: justipat'
9
9
ms.reviewer: sngun
10
10
11
11
---
@@ -32,7 +32,7 @@ In this step, you'll assign a system-assigned managed identity to your Azure Fun
32
32
1. On the **Identity tab** switch **System Identity** to the "On" position. Be sure to click **Save**, and confirm you want to turn on System Identity. In the end the **System Identity** pane should look like this:
## Grant the System-Assigned Managed Identity Access to yourAzure Cosmos DB
35
+
## Grant the System-Assigned Managed Identity Access to your'Azure Cosmos DB
36
36
37
37
In this step, you'll assign a role to the Azure Function's System-Assigned Managed Identity. Azure Cosmos DB has multiple built-in roles you can assign the System Identity too. For this exercise we'll just focus on two:
38
38
@@ -55,13 +55,14 @@ For our scenario, we'll read the sale receipt documents, summarize them, and the
55
55
1. Select the **+ Add** button, then **add role assignment**:
56
56
57
57
58
-
1. The **Role Assignment** panel opens to the right:
59
-
58
+
1. The **Add Role Assignment** panel opens to the right:
***Assign access to** - Under the Select **System-assigned managed identity** subsection, select **Function App**.
63
63
***Select** - The pane will be populated with all the function apps, in your subscription, that have a **Managed System Identity**. In our case I select the **SummaryService** function app:
64
-
@@ -71,6 +72,8 @@ Now we have a function app that has a system-assigned managed identity. That ide
71
72
72
73
We'll be using to get the Azure Cosmos DB Keys is the [List Keys API](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListKeys).
73
74
75
+
> [!IMPORTANT]
76
+
> If you want to [assign the **Cosmos DB Account Reader**](#grant-the-system-assigned-managed-identity-access-to-your-azure-cosmos-db) role, you will need to use the read only [List Keys api](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListReadOnlyKeys). This will only populate the read only keys.
74
77
75
78
The api returns DatabaseAccountListKeysResult. This type isn't defined in the C# libraries. The code below is an implementation for this class. Add it to the solution:
You are now ready to [deploy your Azure Function.](../azure-functions/functions-create-first-function-vs-code.md)
185
188
186
-
> [!IMPORTANT]
187
-
> If you want to [assign the **Cosmos DB Account Reader**](#grant-the-system-assigned-managed-identity-access-to-your-azure-cosmos-db) role, you will need to use the read only [List Keys api](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListReadOnlyKeys). This would only populate the read only keys on the DatabaseAccountListKeysResult class.
188
-
189
189
## Next steps
190
190
191
191
*[Certificate-based authentication with Azure Cosmos DB and Active Directory](certificate-based-authentication.md)
192
192
*[Secure Azure Cosmos keys using Azure Key Vault](access-secrets-from-keyvault.md)
193
193
194
194
*[Security baseline for Azure Cosmos DB](security-baseline.md)
0 commit comments