Atlan supports the following deployment types for fetching metadata from Microsoft Azure Cosmos DB:
- vCore-based deployment — you can use SCRAM-SHA authentication for vCore-based accounts. You will need to authenticate the connection in Atlan with a primary connection string to fetch metadata from vCore-based accounts. Atlan provides multi-account support for fetching metadata.
- RU-based deployment — you can use service principal authentication for request unit (RU)-based accounts. You will need to authenticate the connection in Atlan with a client ID, client secret, and tenant ID to fetch metadata from RU-based accounts. Atlan provides multi-account support for fetching metadata.
If your Microsoft Azure Cosmos DB deployment includes a mix of vCore- and RU-based accounts, you must configure both to fetch metadata. You can then use the vCore and RU deployment option to crawl your Microsoft Azure Cosmos DB assets.
vCore deployment
For vCore-based accounts, you will need the primary connection string of your Microsoft Azure Cosmos DB deployment to use SCRAM-SHA authentication for integrating with Atlan.
To retrieve the primary connection string for vCore-based accounts:
- Log in to the Azure portal as an admin.
- In the portal, search for and select Azure Cosmos DB.
- On the Azure Cosmos DB page, select your Azure Cosmos DB for MongoDB (vCore) account.
- From the Overview page, copy the value of the Admin username. For password, you will need the password that was set up during your Microsoft Azure Cosmos DB deployment.
- In the left menu of the account page, under Settings, click Connection strings.
- Copy the value of the Primary Connection String and store it in a secure location. You will need to add the values of the admin username and password to the placeholder values in the primary connection string you copied. Repeat steps 1 to 6 for all the vCore-based accounts you want to crawl in Atlan.
RU-based deployment
For request Unit (RU)-based accounts, you will need a client ID, client secret, and tenant ID for service principal authentication. Microsoft Azure Cosmos DB for MongoDB deployment currently does not support service principal authentication for vCore-based accounts.
Register app with Microsoft Entra ID
You will need to register your service principal application with Microsoft Entra ID and note down the values of the tenant ID, client ID, and client secret.
To register your app with Microsoft Entra ID:
- Log in to the Azure portal.
- In the search bar, search for Microsoft Entra ID, and select it from the dropdown list.
- From the left menu of the Microsoft Entra ID page, click App registrations.
- From the toolbar on the App registrations page, click + New registration.
- On the Register an application page, for Name, enter a name for your service principal application and then click Register.
- On the homepage of your newly created application, from the Overview screen, copy the values for the following fields and store them in a secure location:
- Application (client) ID
- Directory (tenant) ID
- From the left menu of your newly created application page, click Certificates & secrets.
- On the Certificates & secrets page, under Client secrets, click + New client secret.
- In the Add a client secret screen, enter the following details:
- For Description, enter a description for your client secret.
- For Expiry, select when the client secret will expire.
- Click Add.
- On the Certificates & secrets page, under Client secrets, for the newly created client secret, click the clipboard icon to copy the Value and store it in a secure location.
Set permissions
You will need to add the service principal to the Cosmos DB Account Reader Role. This will allow the service principal read-only access to your Azure Cosmos DB account data.
To add the service principal to the Cosmos DB Account Reader Role:
- Log in to the Azure portal.
- Open the menu and search for or select Azure Cosmos DB.
- On the Azure Cosmos DB page, select your Azure Cosmos DB for MongoDB (RU) account.
- From the left menu of your Azure Cosmos DB for MongoDB (RU) account page, click Access control (IAM).
- From the tabs along the top of the Access control (IAM) page, click Add and then click Add role assignment.
- On the Add role assignment page, configure the following:
- In the Roles tab, from the list of roles under Job function roles, select Cosmos DB Account Reader Role — this allows read-only access to Azure Cosmos DB account data — and then click Next. You will need to assign this role to all the RU-based accounts you want to crawl in Atlan.
- In the Members tab, enter the following details:
- For Assign access to, click User, group, or service principal.
- For Members, click + Select members and then select the service principal you created. Click Next to proceed to the next step.
- In the Review + assign tab, click Review + assign to add role assignment.
(Optional) Whitelist Atlan IP range
You may need to whitelist Atlan's IP range to allow Atlan to crawl Microsoft Azure Cosmos DB.
To whitelist the Atlan IP range:
- Log in to the Azure portal.
- Open the menu and search for or select Azure Cosmos DB.
- On the Azure Cosmos DB page, select your Azure Cosmos DB for MongoDB account.
- From the left menu of your Azure Cosmos DB for MongoDB account page, click Networking.
- On the Networking page, under Public network access, check the following:
- If All networks is enabled, no further action required.
- If Select networks is enabled, raise an Atlan support request to obtain Atlan's IP range. Once received from Atlan support, for IP (Single IPv4 or CIDR range), enter Atlan's IP range and click the Save button.