Not connecting via AAD when Local Auth is disabled.

[NonlinearMusings]

Disabling Local Auth throws "Error: Local Authorization is disabled. Use an AAD token to authorize all requests." error. As I've already authenticated to Azure in VS Code via AAD, I would expect those credentials to be sufficient for connecting to Cosmos too. Note that everything works as expected when Local Auth is enabled.

[JasonYeMSFT]

@NonlinearMusings Which Cosmos service are you using? Currently only PostgreSQL Flexible in the extension has AAD authentication support. For other types of Cosmos services, you still need to use access keys or passwords to authenticate.

[NonlinearMusings]

This is for the Cosmos SQL API. Do we have a Roadmap for enabling AAD with this extension for SQL API?

[JasonYeMSFT]

This will be something we prioritize for the next extension release. I am working on a proof of concept. Once I get a more concrete timeline I'll update it here.

[ludwhe]

Really into this being added as well, would really make my workflow much easier!

[NonlinearMusings]

@JasonYeMSFT - any updates on this?

[arwinlashawn]

Hi @JasonYeMSFT, seeing some promising progress with OAuth support changes merged already. Do we have an ETA on when AAD auth for Cosmos DB will be released for this extension?

[JasonYeMSFT]

I'll work on the release. Should be ready in a few days.

[JasonYeMSFT]

Out of curiosity, what roles do you use to authenticate with your Cosmos DB resources (e.g. Cosmos DB Account Reader or Cosmos DB Operator)? Even if the local auth is disabled, Cosmos DB Operators will still be able to list keys and will confuse my credential selection. Some users might need to manually override it in the setting.

[arwinlashawn]

@JasonYeMSFT Great news. Generally, for data-plane RBAC access on Cosmos DB, we would assign either of these two built-in roles to the AAD principal.

Example of assigning the role to an AAD principal

If only data-plane access permissions are needed, this is the way to go as it aligns with the principle of least privilege (no access to Portal, etc).

Note: Have tested the above by accessing cosmos.azure.com/aad, authenticating with an AAD principal with Cosmos DB Built-in Data Reader role, and managing to view Cosmos DB data. Feel free to reach out to me directly on Teams if you need assistance on testing this.

[JasonYeMSFT]

I published the 0.22.0 vsix on GitHub. You may install it and try it. You might need to enable the Azure Databases > Use Cosmos OAuth setting to tell the extension to use your MS Entra ID in case you still have the permission to list database keys even though local auth has been disabled. I will publish the gallery release shortly after.

[arwinlashawn]

Thanks a lot @JasonYeMSFT for promptly addressing this. Yes, I needed to enable the "Azure Databases: Use Cosmos OAuth" extension setting to make AAD auth work.

A slight note: After authenticating with my principal, it took quite a while (approx. 5 minutes) for the authentication to fully complete so I can view the underlying Cosmos DB data successfully. Not sure if this is by design. Will create a separate issue if I can reproduce this consistently.