Update how-to-query-analytical-store-spark-3.md

Rodrigossz · web-flow · commit 93191bcda8d7 · 2025-03-04T13:40:57.000-08:00
diff --git a/articles/synapse-analytics/synapse-link/how-to-query-analytical-store-spark-3.md b/articles/synapse-analytics/synapse-link/how-to-query-analytical-store-spark-3.md
@@ -45,6 +45,104 @@ Thus, you can choose between loading to Spark DataFrame and creating a Spark tab
 > [!NOTE]
 > Please note that all `options` in the commands below are case sensitive.
 
+## Authentication
+
+Now Spark 3.x customers can authenticate to Azure Cosmos DB analytical store using access tokens and database account keys. Access tokes are more secure as they are short lived, meaning less risk sincee it can only be generated by trusted identities, which have been approved by assigning them the required permission using Cosmos DB RBAC.
+
+The connector now supports two auth types, `MasterKey` and `AccessToken`. This can be configured using the property `spark.cosmos.auth.type`.
+
+### Master key authentication
+
+Use the key to read a dataframe using spark:
+
+```scala
+val config = Map(
+    "spark.cosmos.accountEndpoint" -> "<endpoint>",
+    "spark.cosmos.accountKey" -> "<key>",
+    "spark.cosmos.database" -> "<db>",
+    "spark.cosmos.container" -> "<container>"
+)
+
+val df = spark.read.format("cosmos.olap").options(config).load()
+df.show(10)
+```
+
+### Access token authentication
+
+The new keyless authentication introduces support for access tokens:
+
+```scala
+val config = Map(
+    "spark.cosmos.accountEndpoint" -> "<endpoint>",
+    "spark.cosmos.auth.type" -> "AccessToken",
+    "spark.cosmos.auth.accessToken" -> "<accessToken>",
+    "spark.cosmos.database" -> "<db>",
+    "spark.cosmos.container" -> "<container>"
+)
+
+val df = spark.read.format("cosmos.olap").options(config).load()
+df.show(10)
+```
+
+#### Access token authentication requires role assignment
+
+To use the access token approach, you need to generate access tokens. Since access tokens are associated with azure identities, correct role-based access control (RBAC) must be assigned to the identity. This role assignment is on data plane level, and you must have minimum control plane permissions to perform the role assignment. Click [here](https://learn.microsoft.com/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access) for more information. 
+
+The Access Control (IAM) role assignments from azure portal are on control plane level and don't affect the role assignments on data plane. Data plane role assignments are only available via Azure CLI. The `readAnalytics` action is required to read data from analytical store in Cosmos DB and is not part of any pre-defined roles. As such we must create a custom role definition. In addition to the `readAnalytics` action, also add the actions required for Data Reader. These are the minimum actions required for reading data from analytical store. Create a JSON file with the following content and name it role_definition.json
+
+```JSON
+{
+  "RoleName": "CosmosAnalyticsRole",
+  "Type": "CustomRole",
+  "AssignableScopes": ["/"],
+  "Permissions": [{
+    "DataActions": [
+      "Microsoft.DocumentDB/databaseAccounts/readAnalytics",
+      "Microsoft.DocumentDB/databaseAccounts/readMetadata",
+      "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
+      "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery",
+      "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed"
+    ]
+  }]
+}
+```
+
+#### Access Token authentication requires Azure CLI
+
+ - Log into Azure CLI: `az login`
+ - Set the default subscription which has your Cosmos DB account: `az account set --subscription <name or id>`
+ - Create the role definition in the desired Cosmos DB account: `az cosmosdb sql role definition create --account-name <cosmos-account-name> --resource-group <resource-group-name> --body @role_definition.json`
+ - Copy over the role definition id returned from the above command: `/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/databaseAccounts/< cosmos-account-name >/sqlRoleDefinitions/<a-random-generated-guid>`
+ - Get the principal id of the identity that you want to assign the role to. The identity could be an azure app registration, a virtual machine or any other supported azure resource. Assign the role to the principal using: `az cosmosdb sql role assignment create --account-name "<cosmos-account-name>" --resource-group "<resource-group>" --scope "/" --principal-id "<principal-id-of-identity>" --role-definition-id "<role-definition-id-from-previous-step>"`
+
+> [!Note]
+> When using an azure app registration, Use the Object Id as the service principal id in the step above. Also, the principal id and the Cosmos DB account must be in the same tenant.
+
+
+#### Generating the access token - Synapse Notebooks
+
+The recommended method for Synapse Notebooks is to use service principal with a certificate to generate access tokens. Click [here](https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary) for more information.
+
+```scala
+The following code snippet has been validated to work in a Synapse notebook
+val tenantId = "<azure-tenant-id>"
+val clientId = "<client-id-of-service-principal>"
+val kvLinkedService = "<azure-key-vault-linked-service>"
+val certName = "<certificate-name>"
+val token = mssparkutils.credentials.getSPTokenWithCertLS(
+  "https://<cosmos-account-name>.documents.azure.com/.default",
+  "https://login.microsoftonline.com/" + tenantId, clientId, kvLinkedService, certName)
+```
+
+Now you can use the access token generated in this step to read data from analytical store when auth type is set to access token.
+
+> [!Note]
+> When using an Azure App registration, use the application (Client Id) in the step above.
+
+> [!Note]
+> Currently, Synapse doesn’t support generating access tokens using the azure-identity package in notebooks. Furthermore, synapse VHDs don’t include azure-identity package and its dependencies. Click [here](https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity) for more information.
+
+
 ### Load to Spark DataFrame
 
 In this example, you'll create a Spark DataFrame that points to the Azure Cosmos DB analytical store. You can then perform additional analysis by invoking Spark actions against the DataFrame. This operation doesn't impact the transactional store.
@@ -60,7 +158,7 @@ df = spark.read.format("cosmos.olap")\
 ```
 
 The equivalent syntax in **Scala** would be the following:
-```java
+```scala
 // To select a preferred list of regions in a multi-region Azure Cosmos DB account, add option("spark.cosmos.preferredRegions", "<Region1>,<Region2>")
 
 val df_olap = spark.read.format("cosmos.olap").
