cyb3rward0g / pwshazcosmosdb Goto Github PK
View Code? Open in Web Editor NEWA PowerShell module to manage documents on an Azure CosmosDB Database
License: MIT License
A PowerShell module to manage documents on an Azure CosmosDB Database
License: MIT License
Currently, one could either pass the Azure CosmosDB Primary Key (Master Key) or use a managed identity when connecting to the an Azure CosmosDB instance.
I would like to use the AzurePowerShellCredential Credential type.
Clear-AzContext
Connect-AzAccount - Tenant XXXX
$params = @{
"Endpoint" = "https://<cosmos-account>.documents.azure.com:443/"
"DatabaseName" = "<database-name>"
"ContainerName" = "<container-name>"
"Verbose" = $true
}
Connect-AzCosmosDB @params
$doc = Get-azcosmosdbdocument -DocumentId <Document-Id> -PartitionKey <PKValue> -Verbose
I would like to use the AzureCliCredential Credential type:
az account clear
az login --tenant XXXX
$params = @{
"Endpoint" = "https://<cosmos-account>.documents.azure.com:443/"
"DatabaseName" = "<database-name>"
"ContainerName" = "<container-name>"
"Verbose" = $true
}
Connect-AzCosmosDB @params
$doc = Get-azcosmosdbdocument -DocumentId <Document-Id> -PartitionKey <PKValue> -Verbose
I noticed that I should be able to do it with PwshAzCosmosDB (1.0.6). Even in the code, I have a condition where if MANAGED_IDENTITY_CLIENT_ID
is not set, then it would default to use the DefaultAzureCredential class.
var managedIdentityClientId = Environment.GetEnvironmentVariable("MANAGED_IDENTITY_CLIENT_ID");
cosmosClient = new CosmosClient(Endpoint,
managedIdentityClientId == null ? new DefaultAzureCredential() : new ManagedIdentityCredential(managedIdentityClientId));
DefaultAzureCredential dcumentation shows the TokenCredential authentication flow
:
Environment -> Workload Identity -> Managed Identity -> Visual Studio -> VS Code -> Azure CLI -> Azure PowerShell -> ...
However, when I use any of the AzureCliCredential
and AzurePowerShellCredential
credential types before connecting to an Azure CosmosDB instance, I get the following:
Get-AzCosmosDBDocument: ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
Content:
Headers:
Date: Wed, 30 Aug 2023 04:40:14 GMT
Server: Kestrel
Transfer-Encoding: chunked
X-CORRELATION-ID: REDACTED
Content-Type: application/json; charset=utf-8
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
It looks like the TokenCredential authentication flow
stops at Managed Identity
:
Environment -> Workload Identity -> Managed Identity -> Visual Studio -> VS Code -> Azure CLI -> Azure PowerShell -> ...
I believe what we need to do is define a new TokenCredential
chain and put the Managed Identity
credential after the Azure CLI
and Azure PowerShell
. Something like this:
var managedIdentityClientId = Environment.GetEnvironmentVariable("MANAGED_IDENTITY_CLIENT_ID");
if (string.IsNullOrEmpty(managedIdentityClientId))
{
// https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet&preserve-view=true#defaultazurecredential
WriteVerbose("[+] Using ChainedTokenCredential: AzurePowerShellCredential -> AzureCliCredential -> ManagedIdentityCredential");
cosmosClient = new CosmosClient(Endpoint, new ChainedTokenCredential(new AzurePowerShellCredential(), new AzureCliCredential(), new ManagedIdentityCredential()));
}
else
{
// Use ManagedIdentityCredential with the provided client ID
WriteVerbose($"[+] Using ManagedIdentityCredential with identity: {managedIdentityClientId}");
cosmosClient = new CosmosClient(Endpoint, new ManagedIdentityCredential(managedIdentityClientId));
}
when we initialize a connection to an Azure CosmosDB instance, we use the SessionState.PSVariable
to store and retrieve the AzCosmosDBContainer
variable, which holds a reference to a Cosmos DB container.
The code currently does not allow you to overwrite it once it is set:
// Check if the container is already stored in the session state
if (SessionState.PSVariable.Get("AzCosmosDBContainer") == null)
{
// Store the container in session state for later cmdlets to access
WriteVerbose("[+] Storing the container in session state...");
SessionState.PSVariable.Set("AzCosmosDBContainer", container);
WriteVerbose("[+] Successfully connected to the Azure Cosmos DB container.");
}
else
{
WriteVerbose("[+] Container is already stored in session state.");
}
We need to create some type of -Force
parameter to force it to overwrite the AzCosmosDBContainer
variable in the PowerShell SessionState.PSVariable
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.