question

Rock-1931 avatar image
0 Votes"
Rock-1931 asked Rock-1931 commented

Can we use a Azure Key Vault secret for creating a credential that will access cosmos db analytical storage

In MS document it is suggested that, In order to access Cosmos DB analytical storage, you need to define a credential containing a read-only Cosmos DB account key. Link : (https://docs.microsoft.com/en-us/azure/synapse-analytics/sql/tutorial-logical-data-warehouse)

SQL

CREATE DATABASE SCOPED CREDENTIAL MyCosmosDbAccountCredential
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 's5zarR2pT0JWH9k8roipnWxUYBegOuFGjJpSjGlR36y86cW0GQ6RaaG8kGjsRAQoWMw1QKTkkX8HQ

Can we use an Azure Key Vault instead of providing the read-only key manually?

azure-synapse-analyticsazure-cosmos-dbazure-ad-verifiable-credentials
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HimanshuSinha-MSFT avatar image HimanshuSinha-MSFT ·

Hello @Rock-1931 ,
Thanks for the ask and using Microsoft Q&A platform .
As we understand the ask here is to use Azure key vault to fetch the secrets . Please do let me know if that not accurate.
Unfortunately this is time this is not supported in Synapse . May I request you to please log the same here .

https://feedback.azure.com/d365community/idea/dfa04c64-0b25-ec11-b6e6-000d3a4f07b8

Product group does monitor the request and they can plan for the implementation in future .Once you log the feature request you will also be notified on the status of the request . We expect you to keep using this forum and motivate others to do the same . You can always help other community members by answering to their queries .

Please do let me if you have any queries .
Thanks
Himanshu







1 Vote 1 ·
Rock-1931 avatar image Rock-1931 ·

Thanks For your reply @HimanshuSinha-MSFT
You are correct, I want to use the secret from the Key vault instead of providing the key manually while creating the credential but unfortunately, I am not able to use the Key vault. Looks like this is a product limitation.


Another question, As our goal is to use only the analytical container for data fetching, then if we share the readonly Key with other team, how we can control if they are hitting only the analytical layer of the V2 cosmos db container and not the transactional layer.
1. In a Synapse (like while Creating pipelines, or fetching the Cosmos DB by not using openrowset() )
2. If they tried to access the Cosmos Db through other options (not Synapse ,any traditional way of data fetching)

Or correct me if I am wrong, does this mean when we have enabled a cosmos db's analytical container then any data fetching will be done on analytical layer only and not hit the actual transactional layer?

Your help is appreciated!!





0 Votes 0 ·
HimanshuSinha-MSFT avatar image HimanshuSinha-MSFT Rock-1931 ·

Hello @Rock-1931 ,

Sorry for the delay on my side for the reply .
I am not an expert in cosmosdb and it will be great if you can open a thread and add the correct tags , cosmosdb expert will respond to your query .

Please do let me if you have any queries .
Thanks
Himanshu

0 Votes 0 ·
Rock-1931 avatar image Rock-1931 ·

Thanks @HimanshuSinha-MSFT , I will create another thread for this question.

0 Votes 0 ·

0 Answers