Resource Tokens

Introduction

Usually, we interact with Cosmos DB from trustworthy services. We use primary/secondary keys or RBAC for more specific authorization policies.

However, there might be cases where we want to grant access to our databases to third parties, browsers, mobile apps, CLIs, and more. In these scenarios, we can’t use the access keys because we can’t be sure the keys are stored and secured correctly. Nor can we use RBAC, because those services are not part of our Azure infrastructure.

To solve this problem, Cosmos DB supports resource tokens. These tokens can grant:

• Full access to a resource

• Read access to a resource

Resources can be:

• A specific container

• A specific partition key

• A specific document

As we can see, we have the highest degree of control over database access with resource tokens.

Remember: As another layer of security, tokens have an expiration time and need to be regenerated.

Token generation

To generate a token, we need a CosmosClient authorized with an access key. For this reason, we need to create an API the aforementioned untrusted resources can call to get a token.