Using Resource tokens instead of the MasterKey to access to Cosmos DB

[apescione]

At the moment, it seems that there aren't any support to use Resource Token instead of Master Key to authenticate application on Cosmos DB. Is there this kind of feature in your backlog?If yes, is there a way where I can see the RoadMap?

[kushagraThapar]

@apescione - Resource tokens are not supported anymore through Java Cosmos V4 SDK. Rather we are bringing in support for AAD integration, which should effectively allow you to do the same thing.

[kushagraThapar]

AAD support: https://github.com/Azure/azure-sdk-for-java/issues/12725

[apescione]

Hi @kushagraThapar , Which means Resource tokens are not supported anymore through Java Cosmos V4 SDK? In V4 Permission, ResourceToken and TokenResolver (that work with Resource Tokens) won't be supported to instance CosmosClient? I'm asking for this because at the moment I'm using TokenResolver interface returning Resource Token to implement RBAC in cosmos DB.

[kushagraThapar]

@apescione - Sorry, I wasn't clear enough. resourceTokens are supported through permissions. TokenResolver interface is not supported anymore. The way to go about this would be to first get the resourceIds for permissions and then use them to instantiate CosmosClient through CosmosClientBuilder

[apescione]

Even in V4 I'm seeing Token Resolver, but its name is changed in CosmosAuthorizationTokenResolver, supported by Builder. https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/CosmosClientBuilder.java https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/implementation/CosmosAuthorizationTokenResolver.java so basically. It seems even supported.

[kushagraThapar]

@apescione Its not supported, we moved the CosmosAuthorizationTokenResolver to implementation package. Anything inside implementation package is not supposed to be used by end users :)

Also, if you see : https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/CosmosClientBuilder.java#L200 This API is not public, so you are not supposed to use this :)

[jordanjennings]

@kushagraThapar If resource tokens are not directly supported, does this mean that the AAD user accessing cosmos will be expected to have permission to read the master key and that the SDK will internally generate the resource token? Or are there RBAC improvements coming to Cosmos which will enable RBAC for data operations? (really hoping to hear it's the second one)

[kushagraThapar]

@milismsft - can you please answer @jordanjennings's question regarding the internal workings of AAD ?

[milismsft]

@jordanjennings it's rather the later, Cosmos will add RBAC supported roles and others. No need for the respective identity to have access to master keys anymore. Regarding resource tokens, this is still supported, just keep in mind this works at the container level and items level. Operations such as creating a database or container are not supported when using a resource token.

[jordanjennings]

@milismsft That's fantastic news! We have been anxiously awaiting proper managed identity support for CosmosDB with fine-grained RBAC control. Do you have any rough estimate of when this feature will be rolling out?

[milismsft]

@jordanjennings we are tentatively targeting August/September timeline to roll the AAD support in the Cosmos; this might come first as a "preview" feature and will likely require whitelisting the account. We will publish more specific details through our regular update channels on exact times and others.

[darenwatkins]

Is there any update on this, and if possible any examples on how to utilise this functionality in Spring. Thanks