Protect Azure Cosmos DB resources with locks

  • Article

APPLIES TO: NoSQL MongoDB Cassandra Gremlin Table

As an administrator, you may need to lock an Azure Cosmos DB account, database or container. Locks prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.

Level Description
CanNotDelete Authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Prerequisites

How locks are applied

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Unlike Azure role-based access control, you use management locks to apply a restriction across all users and roles. To learn about role-based access control for Azure Cosmos DB see, Azure role-based access control in Azure Cosmos DB.

Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.chinacloudapi.cn. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on an Azure Cosmos DB container prevents you from deleting or modifying the container. It doesn't prevent you from creating, updating, or deleting data in the container. Data transactions are permitted because those operations aren't sent to https://management.chinacloudapi.cn.

Manage locks

Resource locks don't work for changes made by users accessing Azure Cosmos DB using account keys unless the Azure Cosmos DB account is first locked by enabling the disableKeyBasedMetadataWriteAccess property. Ensure this property doesn't break existing applications that make changes to resources using any SDK, Azure portal, or third party tools. Enabling this property breaks applications that connect via account keys to modify resources. These modifications can include changing throughput, updating index policies, etc. To learn more and to go through a checklist to ensure your applications continue to function, see preventing changes from the Azure Cosmos DB SDKs

$RESOURCE_GROUP_NAME = "<resource-group>"
$ACCOUNT_NAME = "<account-name>"
$LOCK_NAME = "$ACCOUNT_NAME-lock"

First, update the account to prevent changes by anything that connects via account keys.

$parameters = @{
    Name = $ACCOUNT_NAME
    ResourceGroupName = $RESOURCE_GROUP_NAME
    DisableKeyBasedMetadataWriteAccess = true
}
Update-AzCosmosDBAccount @parameters

Create a Delete Lock on an Azure Cosmos DB account resource and all child resources.

$parameters = @{
    ResourceGroupName = $RESOURCE_GROUP_NAME
    ResourceName = $ACCOUNT_NAME
    LockName = $LOCK_NAME
    ApiVersion = "2020-04-01"
    ResourceType = "Microsoft.DocumentDB/databaseAccounts"
    LockLevel = "CanNotDelete"
}
New-AzResourceLock @parameters

Template

When applying a lock to an Azure Cosmos DB resource, use the Microsoft.Authorization/locks Azure Resource Manager (ARM) resource.

{
  "type": "Microsoft.Authorization/locks",
  "apiVersion": "2017-04-01",
  "name": "cosmoslock",
  "dependsOn": [
    "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
  ],
  "properties": {
    "level": "CanNotDelete",
    "notes": "Do not delete Azure Cosmos DB account."
  },
  "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
}

Samples

Manage resource locks for Azure Cosmos DB:

Next steps

Overview of Azure Resource Manager Locks