vscode-cosmosdb icon indicating copy to clipboard operation
vscode-cosmosdb copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Not connecting via AAD when Local Auth is disabled.

Open NonlinearMusings opened this issue 2 years ago • 4 comments
trafficstars

Disabling Local Auth throws "Error: Local Authorization is disabled. Use an AAD token to authorize all requests." error. As I've already authenticated to Azure in VS Code via AAD, I would expect those credentials to be sufficient for connecting to Cosmos too. Note that everything works as expected when Local Auth is enabled.

NonlinearMusings avatar Oct 27 '23 14:10 NonlinearMusings

@NonlinearMusings Which Cosmos service are you using? Currently only PostgreSQL Flexible in the extension has AAD authentication support. For other types of Cosmos services, you still need to use access keys or passwords to authenticate.

JasonYeMSFT avatar Oct 27 '23 18:10 JasonYeMSFT

This is for the Cosmos SQL API. Do we have a Roadmap for enabling AAD with this extension for SQL API?

NonlinearMusings avatar Oct 28 '23 12:10 NonlinearMusings

This will be something we prioritize for the next extension release. I am working on a proof of concept. Once I get a more concrete timeline I'll update it here.

JasonYeMSFT avatar Nov 20 '23 22:11 JasonYeMSFT

Really into this being added as well, would really make my workflow much easier!

ludwhe avatar Jan 31 '24 18:01 ludwhe

@JasonYeMSFT - any updates on this?

NonlinearMusings avatar Apr 12 '24 14:04 NonlinearMusings

Hi @JasonYeMSFT, seeing some promising progress with OAuth support changes merged already. Do we have an ETA on when AAD auth for Cosmos DB will be released for this extension?

arwinlashawn avatar Apr 24 '24 03:04 arwinlashawn

I'll work on the release. Should be ready in a few days.

JasonYeMSFT avatar Apr 24 '24 16:04 JasonYeMSFT

Out of curiosity, what roles do you use to authenticate with your Cosmos DB resources (e.g. Cosmos DB Account Reader or Cosmos DB Operator)? Even if the local auth is disabled, Cosmos DB Operators will still be able to list keys and will confuse my credential selection. Some users might need to manually override it in the setting.

JasonYeMSFT avatar Apr 24 '24 17:04 JasonYeMSFT

@JasonYeMSFT Great news. Generally, for data-plane RBAC access on Cosmos DB, we would assign either of these two built-in roles to the AAD principal.

Example of assigning the role to an AAD principal

If only data-plane access permissions are needed, this is the way to go as it aligns with the principle of least privilege (no access to Portal, etc).

Note: Have tested the above by accessing cosmos.azure.com/aad, authenticating with an AAD principal with Cosmos DB Built-in Data Reader role, and managing to view Cosmos DB data. Feel free to reach out to me directly on Teams if you need assistance on testing this.

arwinlashawn avatar Apr 25 '24 02:04 arwinlashawn

I published the 0.22.0 vsix on GitHub. You may install it and try it. You might need to enable the Azure Databases > Use Cosmos OAuth setting to tell the extension to use your MS Entra ID in case you still have the permission to list database keys even though local auth has been disabled. I will publish the gallery release shortly after.

JasonYeMSFT avatar Apr 26 '24 21:04 JasonYeMSFT

Thanks a lot @JasonYeMSFT for promptly addressing this. Yes, I needed to enable the "Azure Databases: Use Cosmos OAuth" extension setting to make AAD auth work.

A slight note: After authenticating with my principal, it took quite a while (approx. 5 minutes) for the authentication to fully complete so I can view the underlying Cosmos DB data successfully. Not sure if this is by design. Will create a separate issue if I can reproduce this consistently.

arwinlashawn avatar May 13 '24 06:05 arwinlashawn