Cosmos has four ways to authenticate (master key, resource token, AAD RBAC, Managed Identity) and three layers to lock down (network, identity, encryption). The right combo for production — Managed Identity + RBAC for app code, private endpoint for network isolation, customer-managed keys if your compliance demands it. Master keys belong only in dev or break-glass.
- ▸Master keys are full admin. Treat them like database root passwords. Avoid in app code.
- ▸Resource tokens are scoped, time-limited tokens. Good for client-side scenarios (mobile apps reading their own user data).
- ▸AAD RBAC is the modern answer. Built-in roles (Reader, Contributor, Operator) or custom roles with fine-grained data-plane actions.
- ▸Private endpoints pull Cosmos onto your VNet. Combined with disabling public network access, only your VMs can reach the account.
- ▸CMK encryption brings your own key from Key Vault for compliance scenarios. Adds operational overhead — you must keep the key reachable forever or your data is unrecoverable.
Security in Cosmos is a stack — network layer, identity layer, encryption layer. Each is independent; each has a “good default” and a “compliant default.” Most teams need the good default; regulated industries need the compliant one.
The four authentication methods
Master keys (avoid)
Two per account — primary and secondary. They’re full admin — read, write, change throughput, change index policy, delete the account. The connection-string story almost everyone starts with.
When to use — local dev, break-glass admin scripts, brand-new accounts before you’ve set up RBAC. Never in shipped app code.
Resource tokens (legacy, niche)
Server-side, you call users/permissions and generate a short-lived (1 hr default) token scoped to one user, one container or partition. The client uses that token to talk directly to Cosmos.
When to use — a mobile/client-side app that reads only the current user’s data, where you don’t want every read going through your API. Modern apps usually skip this and proxy through their API anyway.
AAD RBAC (modern, default)
Standard Azure RBAC against the Cosmos data plane. Built-in roles:
- Cosmos DB Built-in Data Reader — point reads, queries
- Cosmos DB Built-in Data Contributor — reads + writes + sproc execution
- Cosmos DB Operator — control plane (create containers, change throughput) but no data access
For finer control — define a custom role with specific data actions (Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read, etc.) and assign at the account, database, or container scope.
Combine with Managed Identity — your VM/Function/App Service has an AAD identity, the SDK uses DefaultAzureCredential, no secrets in config.
var client = new CosmosClient(
accountEndpoint: "https://my-account.documents.azure.com",
tokenCredential: new DefaultAzureCredential());This is the recommended pattern for everything new.
Disable local auth
Account-level switch. Once on, master keys stop working — every authentication goes through AAD. Couple this with audit logs (Diagnostic Settings → AuditEvents) and you have a verifiable “no key auth allowed” guarantee.
Network isolation
Three layers, each independently toggle-able.
Default — public, with optional firewall. Cosmos exposes a public DNS endpoint. You can restrict access via IP allow-list (configurable in the portal). Fine for most production; not for regulated workloads.
Service endpoints. Allow specific Azure subnets to reach Cosmos through Microsoft’s backbone, without going over the public internet. Cheap, easy. The Cosmos endpoint still resolves publicly though, so it’s not full isolation.
Private endpoints. Pull Cosmos onto your VNet at a private IP. Combined with “Public network access — disabled,” only resources on the VNet (or peered VNets) can reach the account at all. The DNS resolves to the private IP from inside the VNet. The gold standard for compliance.
Encryption
At rest — always on, AES-256, Microsoft-managed keys. Free, automatic, nothing to configure.
In transit — TLS 1.2 minimum, enforced.
Customer-managed keys (CMK) — you supply the encryption key from Key Vault. Cosmos uses it to encrypt your account’s master key, which encrypts your data keys. Lets you rotate, audit, or revoke at the Key Vault level.
The catch — if Key Vault is unavailable or the key is deleted, Cosmos cannot decrypt your data. There’s no recovery. Lock down Key Vault access carefully (soft-delete + purge protection on the key) and have a documented rotation runbook.
Always Encrypted (client-side) — for sensitive fields (PII, PHI), encrypt on the client before writing, store ciphertext in Cosmos. The Cosmos SDK has a built-in feature that handles key wrapping with Key Vault. Cosmos never sees the plaintext, even if compromised.
A sensible production setup
For a typical app:
- Identity — Managed Identity + AAD RBAC (Data Contributor role on the specific container).
- Network — Private endpoint, public access disabled.
- At rest — Default Microsoft-managed key (CMK only if compliance requires it).
- Local auth — Disabled.
- Audit logs — Diagnostic Settings → Log Analytics, retain for 90 days.
- Master keys — Stored in Key Vault, rotated quarterly, used only by break-glass scripts.
That’s the baseline. Anything stronger is workload-specific.
Q1. Resource tokens vs RBAC — which one do I use? ▾
RBAC for any first-party service-to-service auth (recommended). Resource tokens for scenarios where you can't avoid putting credentials on an end-user device — a mobile app reading its own user's data without going through your API. Tokens are signed by your backend, scoped to one user, and expire.
Q2. Can I disable the master key entirely? ▾
Yes — there's an account-level switch, "Disable local authentication." Once on, only AAD-based auth works. This is the gold-standard hardening for production accounts. Combine with audit logging to prove no one's authenticating with keys.
Q3. What does CMK actually encrypt? ▾
All data at rest — documents, indexes, backups, the lot. Cosmos already encrypts everything with Microsoft-managed keys; CMK lets you supply your own from Key Vault. The trade-off — if Cosmos ever loses access to your key (you delete it, or revoke its permission), all data becomes unreadable. Forever. Test your key-rotation flow carefully.
Comments 0
Discuss this page. Markdown supported. Be kind.