Protect Azure Cosmos DB resources with locks
APPLIES TO:
NoSQL
MongoDB
Cassandra
Gremlin
Table
As an administrator, you may need to lock an Azure Cosmos DB account, database or container. Locks prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
| Level | Description |
|---|---|
CanNotDelete |
Authorized users can still read and modify a resource, but they can't delete the resource. |
ReadOnly |
Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. |
Prerequisites
- An existing Azure Cosmos DB account.
- If you have an Azure subscription, create a new account.
- If you don't have an Azure subscription, create a trial subscription before you begin.
How locks are applied
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Unlike Azure role-based access control, you use management locks to apply a restriction across all users and roles.
Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.chinacloudapi.cn. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on an Azure Cosmos DB container prevents you from deleting or modifying the container. It doesn't prevent you from creating, updating, or deleting data in the container. Data transactions are permitted because those operations aren't sent to https://management.chinacloudapi.cn.
Manage locks
Resource locks don't work for changes made by users accessing Azure Cosmos DB using account keys unless the Azure Cosmos DB account is first locked by enabling the disableKeyBasedMetadataWriteAccess property. Ensure this property doesn't break existing applications that make changes to resources using any SDK, Azure portal, or third party tools. Enabling this property breaks applications that connect via account keys to modify resources. These modifications can include changing throughput, updating index policies, etc.
$RESOURCE_GROUP_NAME = "<resource-group>"
$ACCOUNT_NAME = "<account-name>"
$LOCK_NAME = "$ACCOUNT_NAME-lock"
First, update the account to prevent changes by anything that connects via account keys.
$parameters = @{
Name = $ACCOUNT_NAME
ResourceGroupName = $RESOURCE_GROUP_NAME
DisableKeyBasedMetadataWriteAccess = true
}
Update-AzCosmosDBAccount @parameters
Create a Delete Lock on an Azure Cosmos DB account resource and all child resources.
$parameters = @{
ResourceGroupName = $RESOURCE_GROUP_NAME
ResourceName = $ACCOUNT_NAME
LockName = $LOCK_NAME
ApiVersion = "2020-04-01"
ResourceType = "Microsoft.DocumentDB/databaseAccounts"
LockLevel = "CanNotDelete"
}
New-AzResourceLock @parameters
Template
When applying a lock to an Azure Cosmos DB resource, use the Microsoft.Authorization/locks Azure Resource Manager (ARM) resource.
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2017-04-01",
"name": "cosmoslock",
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
],
"properties": {
"level": "CanNotDelete",
"notes": "Do not delete Azure Cosmos DB account."
},
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
}
Samples
Manage resource locks for Azure Cosmos DB:
- API for Cassandra keyspace and table Azure CLI | Azure PowerShell
- API for Gremlin database and graph Azure CLI | Azure PowerShell
- API for MongoDB database and collection Azure CLI| Azure PowerShell
- API for NoSQL database and container Azure CLI | Azure PowerShell
- API for Table table Azure CLI | Azure PowerShell