Open harsimranmaan opened 2 months ago
Hi @harsimranmaan, apologies as I am a little confused by the request.
For quite some time now, all new deployments of Azure IPAM use RBAC access for Cosmos DB and no longer use Access Keys. If you review the Bicep deployment for the Cosmos DB component, you can see that it is deployed exactly as you have described above:
https://github.com/Azure/ipam/blob/main/deploy/modules/cosmos.bicep
Is there something I'm missing perhaps?
Please see https://github.com/Azure/ipam/blob/4919aebf53e77d362df06ceb3bbd36a703882927/engine/app/routers/common/helper.py#L27, we still use the primary key to connect instead of the managed identity. Since the cosmos bicep modules writes to the key vault, the primary key is set and is used over managed identity. The azure recommendation is to disable the local auth and only use managed identity. Does this help?
@harsimranmaan, this is in place for legacy customers who were originally using Shared Key credentials so the product continues to work until they migrate. All net-new deployments use Managed Identity w/ RBAC.
Does this make sense?
I see what you're saying, this is the section that needs to be commented out:
https://github.com/Azure/ipam/blob/main/deploy/modules/cosmos.bicep#L93
That is what you were referring to, correct?
While you are correct that this DOES write the Key to KeyVault (which I will fix), the environment variable is no longer created in the App Service Bicep file, so the Shared Key is actually not used as the code you highlighted is looking for the environment variable, which it will not find.
The cosmosdb setting to not use local auth would also need to be set per the recommendations. Combined with dropping the key, it should be enough I think
Understood, will add both in the next release. Thanks @harsimranmaan 👍
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Azure reports the following best practice when checking CosmosDb usage for IPAM Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method
Describe the solution you'd like Manual remediation: Change your resource authentication method to RBAC. After RBAC is enabled, edit the configuration settings to enforce RBAC as the only authentication method.
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context This'll likely require minor code tweaks to move from using the primary key to AAD in the application.