Question 6
UnclassifiedA service needs to access Cosmos DB without putting keys in code. What should the team prefer where supported?
Correct answer: A
Explanation
Identity-based access avoids embedding secrets in code by using an Azure managed identity to authenticate to Cosmos DB. This follows least privilege because the service is granted only the permissions it needs, rather than sharing account keys with broad access.
Why each option is right or wrong
A. Identity-based access, managed identity patterns, and least privilege.
Azure Cosmos DB supports Microsoft Entra ID–based authentication for supported APIs and client libraries, so a service can use a managed identity instead of storing account keys in application code. The access should then be granted through the built-in Cosmos DB data-plane RBAC roles at the narrowest scope required, because account keys are full-access credentials while RBAC can limit the principal to only the needed read/write operations.
B. Hard-coded account keys in the repository.
C. Keys pasted into public documentation.
D. Anonymous write access.