Query data through the portal without showing keys
We want our developers to see information in the cosmosdb when using data explorer in the portal. Unfortunately the roles to provied that option gives also read access to the keys. We don't want that our developers can see the keys.
From what I can see, the Cosmos DB Account Reader only gives access to the “Read-Only Keys”. Without this access, even with all the other rights, the “Cosmos DB Account Reader” wouldn’t be able to see the information in the Data Explorer pane.
I tested this by creating a custom RBAC role copy of the Cosmos DB Account Reader with the only difference that it did not have the “Microsoft.DocumentDB/databaseAccounts/readonlykeys/action” permission which allows access to the keys. Without this right, the custom role does not have any access to the Data Explorer DBs and collections Therefore, it seems that access to the Read-Only Keys is necessary in order to have access to the collections.
It would be nice to have a feature to see data in the cosmos db's without seeing the keys.
Feature available today.