Managed Identity Support on CosmosDB and EventHub Binding/Trigger

[galvesribeiro]

Current implementation of CosmosDB bindings/triggers are using the old DocumentClient from the 2.x CosmosDB packages.

Now we have CosmosDB 3.x (and even 4 preview!) and the current bindings are outdated.

Because of that, the current binding/triggers doesn't allow us to use the Azure Managed identities to access other resources Azure resources like CosmosDB and EventHubs. The trigger/binding requires us to pass a constant in the attributes to refer to hardcoded settings on the application settings. The same thing happens on EventHubs binding/trigger.

We need those packages to be updated and also that the binding model to change in order to allow us to use Managed Identities so we can remove connection strings and settings from our code/config.

Is this something planned? Can we submit PRs with this update and would that be accepted in a feasible time?

Thank you!

[fabiocav]

Had a chat with @ealsur and @brettsam about this today. Some of this work is still in progress in other components, but this is hopefully something we can light up soon.

@mattchenderson for awareness.

[Thacai]

Considering the latest security vulnerability found in cosmos db, when using account keys, and one of the recommended actions is to transition to pure RBAC (account keys disabled, which this binding is depending on), I would urge to get this feature implemented ASAP.

[ealsur]

@Thacai it is coming in the next major extension version https://github.com/Azure/azure-webjobs-sdk-extensions/pull/736, first preview will be out shortly

[shibayan]

@ealsur I am very happy with the MI and RBAC support in Cosmos DB Extension. Thank you very much. I tried it and found the problem, so I created a separate issue #741.