You have an Azure Active Directory (Azure AD) tenant.
You plan to deploy Azure Cosmos DB databases that will use the SQL API.
You need to recommend a solution to provide specific Azure AD user accounts with read access to the Cosmos DB databases.
What should you include in the recommendation?
To provide specific Azure AD user accounts with read access to Azure Cosmos DB databases, you should use a combination of a resource token and an Access control (IAM) role assignment. Azure Cosmos DB offers resource tokens to provide fine-grained access control, allowing users to access specific data without being exposed to master keys. By assigning appropriate roles through Azure RBAC (Role-Based Access Control), you can manage and restrict the user's access permissions effectively. This solution leverages Azure AD for identity and access management, ensuring secure and controlled access to the Cosmos DB resources.
D. a resource token and an Access control (IAM) role assignment. Azure Cosmos DB's SQL API provides two types of authorization: master key token and resource token. Master key tokens provide access to the all data and all permissions. Resource tokens provide access to specific containers and permissions, and you can create these tokens with an Azure AD user's identity. To provide Azure AD users with access to the Azure Cosmos DB, you would assign them a specific IAM role. Azure Cosmos DB uses Azure role-based access control (Azure RBAC) for providing specific access. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. The combination of a resource token and an IAM role assignment would provide the necessary access control for the Azure AD user accounts to have read access to the Cosmos DB databases.
D. a resource token and an Access control (IAM) role assignment - correct.
appeared on 11th Oct 2022
appeared in Exam 01/2024
D is the answer. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#resource-tokens You can use a resource token (by creating Azure Cosmos DB users and permissions) when you want to provide access to resources in your Azure Cosmos DB account to a client that cannot be trusted with the primary key. Azure Cosmos DB resource tokens provide a safe alternative that enables clients to read, write, and delete resources in your Azure Cosmos DB account according to the permissions you've granted, and without need for either a primary or read only key.
D IAM and Resource Token
D. a resource token and an Access control (IAM) role assignment
The Access control (IAM) pane in the Azure portal is used to configure role-based access control on Azure Cosmos resources.
Yes D is the one
Given Answer D is correct
D is correct