Azure Cosmos DB (SQL API) binding spec
To setup Azure Cosmos DB binding create a component of type
bindings.azure.cosmosdb. See this guide on how to create and apply a binding configuration.
apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: <NAME> spec: type: bindings.azure.cosmosdb version: v1 metadata: - name: url value: "https://******.documents.azure.com:443/" - name: masterKey value: "*****" - name: database value: "OrderDb" - name: collection value: "Orders" - name: partitionKey value: "<message>" - name: direction value: "output"
WarningThe above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described here.
Spec metadata fields
||Y||Output||The Cosmos DB url||
||Y||Output||The Cosmos DB account master key||
||Y||Output||The name of the Cosmos DB database||
||Y||Output||The name of the container inside the database.||
||Y||Output||The name of the key to extract from the payload (document to be created) that is used as the partition key. This name must match the partition key specified upon creation of the Cosmos DB container.||
||N||Output||The direction of the binding.||
For more information see Azure Cosmos DB resource model.
Azure Active Directory (Azure AD) authentication
The Azure Cosmos DB binding component supports authentication using all Azure Active Directory mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of AAD authentication mechanism, see the docs for authenticating to Azure.
You can read additional information for setting up Cosmos DB with Azure AD authentication in the section below.
This component supports output binding with the following operations:
Best Practices for Production Use
Azure Cosmos DB shares a strict metadata request rate limit across all databases in a single Azure Cosmos DB account. New connections to Azure Cosmos DB assume a large percentage of the allowable request rate limit. (See the Cosmos DB documentation)
Therefore several strategies must be applied to avoid simultaneous new connections to Azure Cosmos DB:
- Ensure sidecars of applications only load the Azure Cosmos DB component when they require it to avoid unnecessary database connections. This can be done by scoping your components to specific applications.
- Choose deployment strategies that sequentially deploy or start your applications to minimize bursts in new connections to your Azure Cosmos DB accounts.
- Avoid reusing the same Azure Cosmos DB account for unrelated databases or systems (even outside of Dapr). Distinct Azure Cosmos DB accounts have distinct rate limits.
- Increase the
initTimeoutvalue to allow the component to retry connecting to Azure Cosmos DB during side car initialization for up to 5 minutes. The default value is
5sand should be increased. When using Kubernetes, increasing this value may also require an update to your Readiness and Liveness probes.
spec: type: bindings.azure.cosmosdb version: v1 initTimeout: 5m metadata:
The output binding
create operation requires the following keys to exist in the payload of every document to be created:
id: a unique ID for the document to be created
<partitionKey>: the name of the partition key specified via the
spec.partitionKeyin the component definition. This must also match the partition key specified upon creation of the Cosmos DB container.
Setting up Cosmos DB for authenticating with Azure AD
When using the Dapr Cosmos DB binding and authenticating with Azure AD, you need to perform a few additional steps to set up your environment.
- You need a Service Principal created as per the instructions in the authenticating to Azure page. You need the ID of the Service Principal for the commands below (note that this is different from the client ID of your application, or the value you use for
azureClientIdin the metadata).
- Azure CLI
- The scripts below are optimized for a bash or zsh shell
When using the Cosmos DB binding, you don’t need to create stored procedures as you do in the case of the Cosmos DB state store.
Granting your Azure AD application access to Cosmos DB
You can find more information on the official documentation, including instructions to assign more granular permissions.
In order to grant your application permissions to access data stored in Cosmos DB, you need to assign it a custom role for the Cosmos DB data plane. In this example you’re going to use a built-in role, “Cosmos DB Built-in Data Contributor”, which grants your application full read-write access to the data; you can optionally create custom, fine-tuned roles following the instructions in the official docs.
# Name of the Resource Group that contains your Cosmos DB RESOURCE_GROUP="..." # Name of your Cosmos DB account ACCOUNT_NAME="..." # ID of your Service Principal object PRINCIPAL_ID="..." # ID of the "Cosmos DB Built-in Data Contributor" role # You can also use the ID of a custom role ROLE_ID="00000000-0000-0000-0000-000000000002" az cosmosdb sql role assignment create \ --account-name "$ACCOUNT_NAME" \ --resource-group "$RESOURCE_GROUP" \ --scope "/" \ --principal-id "$PRINCIPAL_ID" \ --role-definition-id "$ROLE_ID"
- Basic schema for a Dapr component
- Bindings building block
- How-To: Trigger application with input binding
- How-To: Use bindings to interface with external resources
- Bindings API reference
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.