Hi @Siegfried Heintze Thank you for your query
I want to make sure I understand completely but your end goal is to store the connection string in the key vault and need to grant your service principal access to my cosmos db.
Your prior question was about how to write a bicep script to grant my App Service's web app system service principal access to my cosmos db partitions. Please let me know if my understanding is not correct.
(1) Please also confirm which cosmos db API you are using (this is for SQL API). You can also find for other APIs in this [Documentation][1]
(2) In my understanding for question 2 the ask is how you would connect the bicep script to your cosmos db. Please let me know if that is not the ask.
There are many ways to deploy Azure Bicep files including, [Azure CLI][3], Azure PowerShell and Cloud Shell.
It’s advisable to store connection strings in key vault but it’s not necessary. But it is best to grant access to cosmos or any other service for that matter via service principal.
@description('Application Name')
@maxLength(30)
param applicationName string = 'todo-app-${uniqueString(resourceGroup().id)}'
@description('Location for all resources.')
param location string = resourceGroup().location
@allowed([
'F1'
'D1'
'B1'
'B2'
'B3'
'S1'
'S2'
'S3'
'P1'
'P2'
'P3'
'P4'
])
@description('App Service Plan\'s pricing tier. Details at https://azure.microsoft.com/en-us/pricing/details/app-service/')
param appServicePlanTier string = 'F1'
@minValue(1)
@maxValue(3)
@description('App Service Plan\'s instance count')
param appServicePlanInstances int = 1
@description('The URL for the GitHub repository that contains the project to deploy.')
param repositoryUrl string = 'https://github.com/Azure-Samples/cosmos-dotnet-core-todo-app.git'
@description('The branch of the GitHub repository to use.')
param branch string = 'main'
@description('The Cosmos DB database name.')
param databaseName string = 'Tasks'
@description('The Cosmos DB container name.')
param containerName string = 'Items'
var cosmosAccountName = toLower(applicationName)
var websiteName = applicationName
var hostingPlanName = applicationName
var keyvaultName = applicationName
// Use built-in roles https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations
var keyVaultSecretsUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {
name: cosmosAccountName
kind: 'GlobalDocumentDB'
location: location
properties: {
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: false
}
]
databaseAccountOfferType: 'Standard'
}
}
resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
// Make sure the Key Vault name begins with a letter.
name: keyvaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
enableRbacAuthorization: true
enabledForDeployment: false
enabledForDiskEncryption: true
enabledForTemplateDeployment: false
}
resource cosmosDbAccountSecret 'secrets' = {
name: 'CosmosDbAccount'
properties: {
value: cosmosAccount.properties.documentEndpoint
}
}
resource cosmostDbKeySecret 'secrets' = {
name: 'CosmostDbKey'
properties: {
value: cosmosAccount.listKeys().primaryMasterKey
}
}
}
resource hostingPlan 'Microsoft.Web/serverfarms@2020-06-01' = {
name: hostingPlanName
location: location
sku: {
name: appServicePlanTier
capacity: appServicePlanInstances
}
}
resource website 'Microsoft.Web/sites@2020-06-01' = {
name: websiteName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: hostingPlan.id
siteConfig: {
appSettings: [
{
name: 'CosmosDb:Account'
value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::cosmosDbAccountSecret.name})'
}
{
name: 'CosmosDb:Key'
value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::cosmostDbKeySecret.name})'
}
{
name: 'CosmosDb:DatabaseName'
value: databaseName
}
{
name: 'CosmosDb:ContainerName'
value: containerName
}
]
}
}
}
resource kvWebsitePermissions 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(kv.id, website.name, keyVaultSecretsUserRole)
scope: kv
properties: {
principalId: website.identity.principalId
principalType: 'ServicePrincipal'
roleDefinitionId: keyVaultSecretsUserRole
}
}
resource srcControls 'Microsoft.Web/sites/sourcecontrols@2020-06-01' = {
name: '${website.name}/web'
properties: {
repoUrl: repositoryUrl
branch: branch
isManualIntegration: true
}
}
Please feel free to reach if you have any further queries or have any doubt regarding the above questions.
Regards,
Oury
[1]: https://learn.microsoft.com/en-us/azure/cosmos-db/sql/manage-with-bicep [3]: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-cli