Closed PlagueHO closed 2 months ago
It is possible to now use Entra ID OAuth2 tokens for data plane operations on Cosmos DB. This increases the security of solutions by removing the need to use either resource tokens or tokens using the master key. See https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#authenticate-requests-on-the-rest-api
Simple way of implementing this: Implementing this would require some changes to the module. This simplest way: Add support for setting an OAuth2 token (rather than a Resource token) when adding tokens to the context via New-CosmosDbContextToken - maybe a new parameter set required for the function to allow "Resource" or "EntraID". Update Get-CosmosDbAuthorizationHeadersFromContext to return the EntraID token in appropriate headers as per Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn - if an EntraID token is available in the Context.
Automated testing will require the most work.
Issue
It is possible to now use Entra ID OAuth2 tokens for data plane operations on Cosmos DB. This increases the security of solutions by removing the need to use either resource tokens or tokens using the master key. See https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#authenticate-requests-on-the-rest-api
Simple way of implementing this: Implementing this would require some changes to the module. This simplest way: Add support for setting an OAuth2 token (rather than a Resource token) when adding tokens to the context via New-CosmosDbContextToken - maybe a new parameter set required for the function to allow "Resource" or "EntraID". Update Get-CosmosDbAuthorizationHeadersFromContext to return the EntraID token in appropriate headers as per Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn - if an EntraID token is available in the Context.
Automated testing will require the most work.