CosmosDB: Deny CRUD Operations to Owner

Fábio Santos 65 Reputation points
2024-07-03T12:10:13.2066667+00:00

Hi,

I have cosmos db Account.

I would like that a user that is Subscription Owner (Where cosmos db lives) don't have access to crud operations. No writes, no reads to cosmos db Container.

How i can achieve that? I would like to maintain the owner permissions.

Thanks.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,518 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GeethaThatipatri-MSFT 29,007 Reputation points Microsoft Employee
    2024-07-03T13:11:41.84+00:00

    @Fábio Santos Thanks for posting your question in the Microsoft Q&A forum.

    As the owner of the subscription, you inherently have the permissions to perform read and write operations on the Cosmos DB

    User's image

    Please follow the document here https://video2.skills-academy.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key

    Use Azure Cosmos DB RBAC: Assign appropriate RBAC roles to the users. For example, you can assign the 'Cosmos DB Account Reader Role' to the Subscription Owner, which allows them to view the account but not perform any write, update, or delete operations.

    Regards

    Geetha

    0 comments
  2. Amira Bedhiafi 18,501 Reputation points
    2024-07-03T13:46:36.94+00:00

    You can use Azure RBAC to assign specific roles to users, groups, or applications at a certain scope (such as resource group or individual resource like Cosmos DB). The key here is assigning a role restricting data access while allowing management operations.

    You could create a custom role (Cosmos DB ReadOnly Contributor) that allows management operations (Microsoft.DocumentDB/databaseAccounts/read, Microsoft.DocumentDB/databaseAccounts/listKeys/action, etc.) but denies data plane operations (Microsoft.DocumentDB/databaseAccounts/*/write, Microsoft.DocumentDB/databaseAccounts/*/read).

    Then you assign it to the subscription owner at the Cosmos DB account level.

  3. Amira Bedhiafi 18,501 Reputation points
    2024-07-05T09:39:07.0633333+00:00

    You need to create a custom role that explicitly denies CRUD operations on the Cosmos DB account. Azure RBAC doesn't have explicit deny permissions, but you can create a custom role with limited access and assign it to the user.

    
{

  "Name": "NoAccessToCosmosDB",

  "IsCustom": true,

  "Description": "Role to deny CRUD operations on Cosmos DB",

  "Actions": [],

  "NotActions": [

    "Microsoft.DocumentDB/databaseAccounts/read",

    "Microsoft.DocumentDB/databaseAccounts/listKeys/action",

    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",

    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/documents/*"

  ],

  "AssignableScopes": ["/subscriptions/{subscription-id}"]

}

    Replace {subscription-id} with your actual subscription ID.

    Use Azure CLI or Azure PowerShell to create the custom role.

    Using Azure CLI:

    
az role definition create --role-definition customRole.json

    Using Azure PowerShell:

    
New-AzRoleDefinition -InputFile customRole.json

    Assign the custom role to the user who is the Subscription Owner.

    Using Azure CLI:

    
az role assignment create --assignee user@example.com --role "NoAccessToCosmosDB" --scope /subscriptions/{subscription-id}

    Using Azure PowerShell:

    
New-AzRoleAssignment -ObjectId (Get-AzADUser -UserPrincipalName user@example.com).Id -RoleDefinitionName "NoAccessToCosmosDB" -Scope /subscriptions/{subscription-id}
    0 comments