Get the passwordless Web application running in Azure

In the previous post, we created an ASP.NET web app that pulls data from Azure Cosmos DB for NoSQL without using a password. In this post, we will deploy that app to Azure App Service and continue to pull data from Azure Cosmos DB for NoSQL without a password.

Note: This series is a part of the Festive Tech Calendar, C# Advent Calendar, and .NET Advent Calendar. Be sure to check them out!

In this post, Azure App Service will pull access data from Azure Cosmos DB for NoSQL using read-only access granted to the App Service’s managed identity. Make sure to have the Azure Cosmos DB for NoSQL’s read-only URI available for this part.

Create an Azure App Service

First, we want to create an Azure App Service to host our application. We will use the Azure CLI to create this app service, populate the COSMOS_URI environment variable, and assign a managed identity to the app service.

We will need the following variables:

  • $resourceGroupName
  • name for the web app
  • region for your app

Since you will be using the web app name a bit, store it in a variable named $appName.

$appName="holiday-creatures-app"

Use the following Azure CLI command to create the App Service for our .NET application:

az webapp up --name $appName --resource-group $resourceGroupName --sku FREE --runtime "dotnet:6" --location YOUR_LOCATION

Note: If you are uncertain which regions are available, you can get the list via the following command:

az account list-locations --output table

Add the COSMOS_URI environment variable

We can add the COSMOS_URI environment variable to the App Services configuration. You need the following details:

  • $resourceGroupName
  • app name
  • Azure Cosmos DB for NoSQL read-only URI

Add the COSMOS_URI environment variable to the App Service with the following Azure CLI command:

az webapp config appsettings set --name $appName 
--resource-group $resourceGroupName 
--settings COSMOS_URI=$env:COSMOS_URI

Enable a system-assigned managed identity on the App Service

Now that we have an App Service with a COSMOS_URI, we need to grant it read-only access to our Azure Cosmos DB for NoSQL database. Before we can grant access, we need to enable the system-assigned managed identity on the Azure App Service. We can do that with this command:

az webapp identity assign --name $appName --resource-group $resourceGroupName

You will need the principalId or objectId that comes back in the response. Store this value in a variable named $managedIdentityObjectId.

Grant the managed identity read-only access to Azure Cosmos DB

Once the managed identity object ID is gathered, you can assign it read-only access to Azure Cosmos DB using the custom role created earlier. Use the following command:

az cosmosdb sql role assignment create --account-name $accountName --resource-group $resourceGroupName --scope "/" --principal-id $managedIdentityObjectId --role-definition-id 
$readOnlyRoleDefinitionId

Note: If you don’t have the $readOnlyRoleDefinitionId set, you can get it by running:

az cosmosdb sql role definition list --account-name $accountName --resource-group $resourceGroupName

Restart the App Service

The web app may not necessarily pick up the changes. You can restart the web app with the following command:

az webapp restart --name $appName --resource-group $resourceGroupName

Browse the app

Navigate to your web app and confirm that it is pulling the data from Azure Cosmos DB for NoSQL.

Conclusion

In this blog series, you:

  • Created custom read-only and read-write roles to use with Azure Cosmos DB RBAC on the data plane
  • Created a .NET Console application to populate an Azure Cosmos DB for NoSQL database with holiday data
  • Created an ASP.NET web application to display the data from Azure Cosmos DB for NoSQL
  • Deployed the code to an Azure App Service, which pulled the data using read-only access to Azure Cosmos DB for NoSQL

By sadukie

5 thoughts on “Get the passwordless Web application running in Azure”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.