Obtain primary, secondary, read, or read-write keys in Azure Cosmos DB

2024-10-07

APPLIES TO: NoSQL MongoDB Cassandra Gremlin Table

Primary/secondary keys provide access to all the administrative resources for the database account. Primary/secondary keys:

Provide access to accounts, databases, users, and permissions.
Can't be used to provide granular access to containers and documents.
Are created during the creation of an account.
Can be regenerated at any time.

Warning

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

For Azure Cosmos DB, Microsoft Entra authentication is the most secure authentication mechanism available. Review the appropriate security guide for your API:

Azure Cosmos DB for NoSQL

Each account consists of two keys: a primary key and a secondary key. The purpose of dual keys is so that you can regenerate, or roll, keys, providing continuous access to your account and data.

Primary/secondary keys come in two versions: read-write and read-only. The read-only keys only allow read operations on the account. They don't provide access to read permissions resources.

Prerequisites

An existing Azure Cosmos DB account

Get your primary key

The primary key can usually be located using the Azure portal or through automation.

Use the Azure portal to obtain either of the four built-in keys:

Primary read-write
Primary read-only
Secondary read-write
Secondary read-only

Sign in to the Azure portal (https://portal.azure.com).
Navigate to your existing Azure Cosmos DB account.
In the account resource pane, select Keys from the Settings section of the service menu.
Locate and record the value of the Primary Key or Secondary Key fields in either the Read-write Keys or Read-only section.

Tip

You may need to show the keys before recording their values. By default, the keys are hidden.

Use this Azure CLI script to get keys or connection strings from your Azure Cosmos DB account.

az cosmosdb keys list \
    --resource-group "<name-of-existing-resource-group>" \
    --name "<name-of-existing-account>" \
    --type "keys"

Warning

Azure CLI will render a warning that outputting your secrets could compromise security for your account.

--type argument options include:

connection-strings
keys
read-only-keys

For more information, see az cosmosdb keys list.

Use this Azure PowerShell script to get keys or connection strings from your Azure Cosmos DB account.

$parameters = @{
    ResourceGroupName = "<name-of-existing-resource-group>"
    Name = "<name-of-existing-account>"
    Type = "Keys"
}
Get-AzCosmosDBAccountKey @parameters

Type parameter options include:

ConnectionStrings
Keys
ReadOnlyKeys

For more information, see Get-AzCosmosDBAccountKey.

This example Bicep template outputs all credentials for an existing Azure Cosmos DB account.

metadata description = 'Gets all keys and connection strings for an Azure Cosmos DB account.'

@description('The name of the Azure Cosmos DB account.')
param accountName string

resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
  name: accountName
}

output endpoint string = account.properties.documentEndpoint

var keys = account.listKeys()

output keys object = {
  primary: {
    readWrite: keys.primaryMasterKey
    readOnly: keys.primaryReadonlyMasterKey
  }
  secondary: {
    readWrite: keys.secondaryMasterKey
    readOnly: keys.secondaryReadonlyMasterKey
  }
}

var connectionStrings = account.listConnectionStrings()

output connectionStrings object = {
  primary: {
    readWrite: connectionStrings.connectionStrings[0].connectionString
    readOnly: connectionStrings.connectionStrings[1].connectionString
  }
  secondary: {
    readWrite: connectionStrings.connectionStrings[2].connectionString
    readOnly: connectionStrings.connectionStrings[3].connectionString
  }
}

Warning

This Bicep template will trigger a linter warning for Bicep. Ideally, production Bicep templates should not output secrets. This sample intentionally does not supress this linter warning. For more information, see linter rule - outputs should not contain secrets.

Implement key rotation

Share via

Obtain primary, secondary, read, or read-write keys in Azure Cosmos DB

Prerequisites

Get your primary key

Related content

Additional resources