Disable cosmosdb access key from pctasks server core

docker-compose.aux.yml

@@ -1,6 +1,5 @@
 # Non-essential development enviroment servers
 
-version: "2.1"
 services:
   stac-api:
     container_name: pctasks-stac-api

docker-compose.cosmosdb.yml

@@ -1,4 +1,3 @@
-version: "2.1"
 services:
   cosmosdb:
     container_name: pctasks-cosmosdb

docker-compose.yml

@@ -1,4 +1,3 @@
-version: "2.1"
 services:
   azurite:
     container_name: pctasks-azurite
@@ -55,10 +54,6 @@ services:
       - APP_PORT=8511
       - WEB_CONCURRENCY=1
 
-      - AZURE_TENANT_ID
-      - AZURE_CLIENT_ID
-      - AZURE_CLIENT_SECRET
-
       - PCTASKS_SERVER__DEV=true
       - PCTASKS_SERVER__DEV_API_KEY=hunter2
       - PCTASKS_SERVER__DEV_AUTH_TOKEN=Bearer hunter2
@@ -111,7 +106,6 @@ services:
       ### Cosmos DB
       - COSMOSDB_EMULATOR_HOST=cosmosdb
       - PCTASKS_COSMOSDB__URL=${PCTASKS_COSMOSDB__URL:-https://cosmosdb:8081/}
-      - PCTASKS_COSMOSDB__KEY=${PCTASKS_COSMOSDB__KEY:-C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==}
       - PCTASKS_COSMOSDB__TEST_CONTAINER_SUFFIX
 
       ### Blobs
@@ -121,6 +115,7 @@ services:
 
     volumes:
       - ./pctasks:/opt/src
+      - ~/.azure:/root/.azure
     ports:
       - "8511:8511"
     command: >
@@ -177,6 +172,7 @@ services:
     volumes:
       - ./pctasks:/home/site/pctasks
       - ./pctasks_funcs:/home/site/wwwroot
+      - ~/.azure:/home/.azure:ro
     ports:
       - "7071:7071" # Functions
     environment:
@@ -185,7 +181,7 @@ services:
 
       # Must use IP address to avoid SSL errors
       - PCTASKS_COSMOSDB__URL=${PCTASKS_COSMOSDB__URL:-https://172.16.238.246:8081/}
-      - PCTASKS_COSMOSDB__KEY=${PCTASKS_COSMOSDB__KEY:-C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==}
+      - PCTASKS_COSMOSDB__accountEndpoint=${PCTASKS_COSMOSDB__URL}
       # Set trigger app setting separately to avoid issues with __ in env var names
       - FUNC_COSMOSDB_CONN_STR=AccountEndpoint=${PCTASKS_COSMOSDB__URL:-https://172.16.238.246:8081/};AccountKey=${PCTASKS_COSMOSDB__KEY:-C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==};
       - FUNC_STORAGE_ACCOUNT_CONN_STR=DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://azurite:10000/devstoreaccount1;QueueEndpoint=http://azurite:10001/devstoreaccount1;TableEndpoint=http://azurite:10002/devstoreaccount1;

pctasks/core/pctasks/core/cosmos/settings.py

@@ -90,28 +90,7 @@ def _validate_key(cls, v: Optional[str], values: Dict[str, Any]) -> Optional[str
 
         return v
 
-    def ensure_valid_connection_info(self) -> None:
-        if self.connection_string:
-            return
-        if not self.url:
-            raise CosmosDBSettingsError("Must set either connection_string or url")
-        if not self.key:
-            if not (
-                os.environ.get("AZURE_CLIENT_ID")
-                and os.environ.get("AZURE_CLIENT_SECRET")
-                and os.environ.get("AZURE_TENANT_ID")
-            ):
-                # Validate that the Azure credentials are set
-                # Validation is here instead of pydantic validator
-                # because we may want to get container name settings
-                # without setting credentials.
-                raise CosmosDBSettingsError(
-                    "Must set key or connection_string, account key or "
-                    "provide Azure credentials to the environment"
-                )
-
     def get_cosmosdb_url(self) -> str:
-        self.ensure_valid_connection_info()
         if self.connection_string:
             m = re.search(r"AccountEndpoint=(.*?);", self.connection_string)
             assert m  # Should be validated by pydantic
@@ -143,9 +122,9 @@ def get_client(self) -> CosmosClient:
                 self.connection_string, connection_verify=connection_verify
             )
         else:
-            self.ensure_valid_connection_info()
-            assert self.url
-            credential = self.key or DefaultAzureCredential()
+            # If the connection string is not set, the credetials are
+            # automatically picked up from the environment/managed identity
+            credential = DefaultAzureCredential()
             return CosmosClient(
                 self.url, credential=credential, connection_verify=connection_verify
             )
@@ -164,9 +143,9 @@ def get_async_client(self) -> AsyncCosmosClient:
                 self.connection_string, connection_verify=connection_verify
             )
         else:
-            self.ensure_valid_connection_info()
-            assert self.url
-            credential = self.key or azure.identity.aio.DefaultAzureCredential()
+            # If the connection string is not set, the credetials are
+            # automatically picked up from the environment/managed identity
+            credential = azure.identity.aio.DefaultAzureCredential()
             return AsyncCosmosClient(
                 self.url, credential=credential, connection_verify=connection_verify
             )

pctasks/server/Dockerfile

@@ -36,6 +36,7 @@ RUN cd /opt/src/server && \
 
 RUN if [ "${DEVELOPMENT}" = "TRUE" ]; then \
      echo "INSTALLING DEVELOPMENT DEPENDENCIES"; \
+     yum install -y azure-cli; \
      pip install \
      -e /opt/src/core \
      -e /opt/src/cli \

pctasks_funcs/Dockerfile

@@ -3,6 +3,8 @@ FROM mcr.microsoft.com/azure-functions/python:4-python3.10
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
+RUN apt update && apt install -y azure-cli
+
 # Copy pctasks packages
 COPY pctasks /home/site/pctasks
 

pctasks_funcs/PublishItemsCF/function.json

@@ -5,7 +5,7 @@
             "name": "documents",
             "type": "cosmosDBTrigger",
             "direction": "in",
-            "connectionStringSetting": "FUNC_COSMOSDB_CONN_STR",
+            "connection": "PCTASKS_COSMOSDB",
             "databaseName": "pctasks",
             "collectionName": "%FUNC_ITEMS_COLLECTION_NAME%"
         }

pctasks_funcs/StorageEventsCF/function.json

@@ -5,9 +5,9 @@
       "name": "documents",
       "type": "cosmosDBTrigger",
       "direction": "in",
-      "connectionStringSetting": "FUNC_COSMOSDB_CONN_STR",
+      "connection": "PCTASKS_COSMOSDB",
       "databaseName": "pctasks",
-      "collectionName": "%FUNC_STORAGE_EVENTS_COLLECTION_NAME%"
+      "containerName": "%FUNC_STORAGE_EVENTS_COLLECTION_NAME%"
     }
   ]
 }

pctasks_funcs/StorageEventsQueue/function.json

@@ -6,7 +6,7 @@
             "name": "msg",
             "direction": "in",
             "queueName": "storage-events",
-            "connectionStringSetting": "FUNC_COSMOSDB_CONN_STR"
+            "connection": "PCTASKS_COSMOSDB"
         }
     ]
 }

pctasks_funcs/WorkflowRunsCF/function.json

@@ -5,9 +5,9 @@
             "name": "container",
             "type": "cosmosDBTrigger",
             "direction": "in",
-            "connectionStringSetting": "FUNC_COSMOSDB_CONN_STR",
+            "connection": "PCTASKS_COSMOSDB",
             "databaseName": "pctasks",
-            "collectionName": "%FUNC_WORKFLOW_RUNS_COLLECTION_NAME%"
+            "containerName": "%FUNC_WORKFLOW_RUNS_COLLECTION_NAME%"
         }
     ]
 }

pctasks_funcs/WorkflowsCF/function.json

@@ -5,9 +5,9 @@
             "name": "container",
             "type": "cosmosDBTrigger",
             "direction": "in",
-            "connectionStringSetting": "FUNC_COSMOSDB_CONN_STR",
+            "connection": "PCTASKS_COSMOSDB",
             "databaseName": "pctasks",
-            "collectionName": "%FUNC_WORKFLOWS_COLLECTION_NAME%"
+            "containerName": "%FUNC_WORKFLOWS_COLLECTION_NAME%"
         }
     ]
 }

pctasks_funcs/host.json

@@ -10,7 +10,7 @@
   },
   "extensionBundle": {
     "id": "Microsoft.Azure.Functions.ExtensionBundle",
-    "version": "[2.*, 3.0.0)"
+    "version": "[4.0.0, 5.0.0)"
   },
   "extensions": {
     "queues": {