为了从 Cosmos DB 帐户读取数据,用户应该具有允许获取访问密钥的角色。 AReader
角色不具备此能力。然而Cosmos DB Account Reader
角色有能力获取read-only access keys
使用该角色的用户可以读取数据(但不能对该数据进行任何更改)。
由此link https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#cosmos-db-account-reader-role,这是定义Cosmos DB Account Reader
role:
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action
操作可以获取只读访问密钥,从而读取数据。