In the previous post, we created an ASP.NET web app that pulls data from Azure Cosmos DB for NoSQL without using a password. In this post, we will deploy that app to Azure App Service and continue to pull data from Azure Cosmos DB for NoSQL without a password.
In this post, Azure App Service will pull access data from Azure Cosmos DB for NoSQL using read-only access granted to the App Service’s managed identity. Make sure to have the Azure Cosmos DB for NoSQL’s read-only URI available for this part.
Create an Azure App Service
First, we want to create an Azure App Service to host our application. We will use the Azure CLI to create this app service, populate the COSMOS_URI environment variable, and assign a managed identity to the app service.
We will need the following variables:
- name for the web app
- region for your app
Since you will be using the web app name a bit, store it in a variable named $appName.
Use the following Azure CLI command to create the App Service for our .NET application:
az webapp up --name $appName --resource-group $resourceGroupName --sku FREE --runtime "dotnet:6" --location YOUR_LOCATION
Note: If you are uncertain which regions are available, you can get the list via the following command:
az account list-locations --output table
Add the COSMOS_URI environment variable
We can add the COSMOS_URI environment variable to the App Services configuration. You need the following details:
- app name
- Azure Cosmos DB for NoSQL read-only URI
Add the COSMOS_URI environment variable to the App Service with the following Azure CLI command:
az webapp config appsettings set --name $appName --resource-group $resourceGroupName --settings COSMOS_URI=$env:COSMOS_URI
Enable a system-assigned managed identity on the App Service
Now that we have an App Service with a COSMOS_URI, we need to grant it read-only access to our Azure Cosmos DB for NoSQL database. Before we can grant access, we need to enable the system-assigned managed identity on the Azure App Service. We can do that with this command:
az webapp identity assign --name $appName --resource-group $resourceGroupName
You will need the
objectId that comes back in the response. Store this value in a variable named
Grant the managed identity read-only access to Azure Cosmos DB
Once the managed identity object ID is gathered, you can assign it read-only access to Azure Cosmos DB using the custom role created earlier. Use the following command:
az cosmosdb sql role assignment create --account-name $accountName --resource-group $resourceGroupName --scope "/" --principal-id $managedIdentityObjectId --role-definition-id $readOnlyRoleDefinitionId
Note: If you don’t have the
$readOnlyRoleDefinitionId set, you can get it by running:
az cosmosdb sql role definition list --account-name $accountName --resource-group $resourceGroupName
Restart the App Service
The web app may not necessarily pick up the changes. You can restart the web app with the following command:
az webapp restart --name $appName --resource-group $resourceGroupName
Browse the app
Navigate to your web app and confirm that it is pulling the data from Azure Cosmos DB for NoSQL.
In this blog series, you:
- Created custom read-only and read-write roles to use with Azure Cosmos DB RBAC on the data plane
- Created a .NET Console application to populate an Azure Cosmos DB for NoSQL database with holiday data
- Created an ASP.NET web application to display the data from Azure Cosmos DB for NoSQL
- Deployed the code to an Azure App Service, which pulled the data using read-only access to Azure Cosmos DB for NoSQL