PowerShell Module for working with Azure Cosmos DB databases, collections, documents, attachments, offers, users, permissions, triggers, stored procedures and user defined functions.
Allowing the Key and KeyType parameters to be passed to every data plane function directly (e.g., Get-CosmosDbCollection -Key ...) encourages users to use master keys for authentication rather than the more secure Entra ID authentication or resource authentication.
Both resource and Entra ID authentication must be performed by creating a context with New-CosmosDBContext and passing that to the functions.
Once Entra ID authentication is available via #479 then the Key and KeyType parameters should be phased out.
Phase 1 will just be putting in warnings when Key based authentication is being used, but still allow it.
Phase 2 will be to remove the parameters Key/KeyType from all functions (except New-CosmosDbContext and some internal util functions).
Important: It will still be possible to authenticate with master keys but will need to be performed via creation of a context and passing that through and we can include warnings about the lower security of using this method.
I'll leave this open for comment for a few weeks/months before making this change.
It will be a breaking change and result in a new major version.
Allowing the
KeyandKeyTypeparameters to be passed to every data plane function directly (e.g., Get-CosmosDbCollection -Key ...) encourages users to use master keys for authentication rather than the more secure Entra ID authentication or resource authentication.Both resource and Entra ID authentication must be performed by creating a context with
New-CosmosDBContextand passing that to the functions.Once Entra ID authentication is available via #479 then the
KeyandKeyTypeparameters should be phased out.Phase 1 will just be putting in warnings when Key based authentication is being used, but still allow it. Phase 2 will be to remove the parameters Key/KeyType from all functions (except
New-CosmosDbContextand some internal util functions).Important: It will still be possible to authenticate with master keys but will need to be performed via creation of a context and passing that through and we can include warnings about the lower security of using this method.
I'll leave this open for comment for a few weeks/months before making this change.
It will be a breaking change and result in a new major version.