Merge pull request #279171 from seesharprun/cosmos-rbac-function-local

prmerger-automator[bot] · web-flow · commit c54b8741bb13 · 2024-06-25T16:03:35.000Z
Cosmos DB | Add steps to RBAC tutorial for local access
diff --git a/articles/cosmos-db/managed-identity-based-authentication.yml b/articles/cosmos-db/managed-identity-based-authentication.yml
@@ -7,7 +7,7 @@ metadata:
   author: seesharprun
   ms.author: sidandrews
   ms.reviewer: justipat
-  ms.date: 10/20/2022
+  ms.date: 06/25/2024
   ms.service: cosmos-db
   ms.subservice: nosql
   ms.topic: how-to
@@ -16,7 +16,7 @@ metadata:
     - devx-track-azurecli
     - subject-rbac-steps
     - ge-structured-content-pilot
-
+  ai-usage: ai-assisted
 title: |
   Use system-assigned managed identities to access Azure Cosmos DB data
 introduction: |
@@ -50,7 +50,7 @@ prerequisites:
           ```
 
           > [!NOTE]
-          > These variables will be re-used in later steps. This example assumes your Azure Cosmos DB account name is ``msdocs-cosmos-app``, your function app name is ``msdocs-function-app`` and your resource group name is ``msdocs-cosmos-functions-dotnet-identity``.
+          > These variables are reused in later steps. This example assumes your Azure Cosmos DB account name is ``msdocs-cosmos-app``, your function app name is ``msdocs-function-app`` and your resource group name is ``msdocs-cosmos-functions-dotnet-identity``.
       
       2. View the function app's properties using the [``az functionapp show``](/cli/azure/functionapp#az-functionapp-show) command.
 
@@ -79,7 +79,7 @@ procedureSection:
   - title: |
       Create Azure Cosmos DB API for NoSQL databases
     summary: |
-      In this step, you'll create two databases.
+      In this step, you create two databases.
     steps:
       - |
         In a terminal or command window, create a new ``products`` database using [``az cosmosdb sql database create``](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create).
@@ -102,7 +102,7 @@ procedureSection:
   - title: |
       Get Azure Cosmos DB API for NoSQL endpoint
     summary: |
-      In this step, you'll query the document endpoint for the API for NoSQL account.
+      In this step, you query the document endpoint for the API for NoSQL account.
     steps:
       - |
         Use ``az cosmosdb show`` with the **query** parameter set to ``documentEndpoint``. Record the result. You'll use this value in a later step.
@@ -125,11 +125,11 @@ procedureSection:
           ```
 
           > [!NOTE]
-          > This variable will be re-used in a later step.
+          > This variable is reused in a later step.
   - title: |
       Grant access to your Azure Cosmos DB account
     summary: |
-      In this step, you'll assign a role to the function app's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity for control-plane access. For data-plane access, you'll create a new custom role with access to read metadata.
+      In this step, you assign a role to the function app's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity for control-plane access. For data-plane access, you create a new custom role with access to read metadata.
 
       > [!TIP]
       > For more information about the importance of least privilege access, see the [Lower exposure of privileged accounts](../security/fundamentals/identity-management-best-practices.md#lower-exposure-of-privileged-accounts) article.
@@ -150,7 +150,7 @@ procedureSection:
           ```
 
           > [!NOTE]
-          > This variable will be re-used in a later step.
+          > This variable is reused in a later step.
       - |
         Use ``az webapp identity show`` with the **query** parameter set to ``principalId``. Store the result in a shell variable named ``principal``.
 
@@ -296,8 +296,25 @@ procedureSection:
   - title: |
       (Optional) Run the function locally
     summary: |
-      In a local environment, the [``DefaultAzureCredential``](/dotnet/api/azure.identity.defaultazurecredential) class will use various local credentials to determine the current identity. While running locally isn't required for the how-to, you can develop locally using your own identity or a service principal.
-    steps: 
+      In a local environment, the [``DefaultAzureCredential``](/dotnet/api/azure.identity.defaultazurecredential) class uses various local credentials to determine the current identity. While running locally isn't required for the how-to, you can develop locally using your own identity or a service principal.
+    steps:
+      - |
+        Get your local account's principal identifier using [`az ad signed-in-user show`](/cli/azure/ad/signed-in-user#az-ad-signed-in-user-show).
+
+        ```azurecli-interactive
+        az ad signed-in-user show --query "id"
+        ```
+      - |
+        Assign your local account role-based access control access to the Azure Cosmos DB account using [`az cosmosdb sql role assignment create`](/cli/azure/cosmosdb/sql/role/assignment#az-cosmosdb-sql-role-assignment-create) command. Use the built-in "Cosmos DB Data Contributor" role with an id of `00000000-0000-0000-0000-000000000002`.
+
+        ```azurecli-interactive
+        az cosmosdb sql role assignment create \
+            --resource-group $resourceGroupName \
+            --account-name $cosmosName \
+            --role-definition-id "00000000-0000-0000-0000-000000000002" \
+            --principal-id "<your-principal-id>" \
+            --scope "/"
+        ```
       - |
         In the **local.settings.json** file, add a new setting named ``COSMOS_ENDPOINT`` in the **Values** object. The value of the setting should be the document endpoint you recorded earlier in this how-to guide.
 
@@ -322,7 +339,7 @@ procedureSection:
   - title: |
       Deploy to Azure
     summary: |
-      Once published, the ``DefaultAzureCredential`` class will use credentials from the environment or a managed identity. For this guide, the system-assigned managed identity will be used as a credential for the [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) constructor.
+      Once published, the ``DefaultAzureCredential`` class uses credentials from the environment or a managed identity. For this guide, the system-assigned managed identity will be used as a credential for the [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) constructor.
     steps:
       - |
         Set the ``COSMOS_ENDPOINT`` setting on the function app already deployed in Azure.
