Support data plane RBAC for E2E tests. (#2176)

* Acquire token for NoSQL account prior to running tests. * Change client id to user assigned managed identity. * Change to use managed identity. Add token variables for gremlin and tables. * Add RBAC details to test README. * Add token for SQL readonly database. Skip resource token tests when RBAC enabled. * Use hardcoded account name for sql readonly. * Use specific tag for sql readonly. * Remove comment.
2025-12-20 17:30:46 +00:00 · 2025-08-05 10:59:57 -07:00
parent 870863a723
commit 0ef4399ba4
9 changed files with 166 additions and 34 deletions
--- a/test/testData.ts
+++ b/test/testData.ts
@@ -1,7 +1,7 @@
 import crypto from "crypto";

 import { CosmosDBManagementClient } from "@azure/arm-cosmosdb";
-import { BulkOperationType, Container, CosmosClient, Database, JSONObject } from "@azure/cosmos";
+import { BulkOperationType, Container, CosmosClient, CosmosClientOptions, Database, JSONObject } from "@azure/cosmos";
 import { AzureIdentityCredentialAdapter } from "@azure/ms-rest-js";

 import {
@@ -82,11 +82,24 @@ export async function createTestSQLContainer(includeTestData?: boolean) {
  const armClient = new CosmosDBManagementClient(adaptedCredentials, subscriptionId);
  const accountName = getAccountName(TestAccount.SQL);
  const account = await armClient.databaseAccounts.get(resourceGroupName, accountName);
-  const keys = await armClient.databaseAccounts.listKeys(resourceGroupName, accountName);
-  const client = new CosmosClient({
+
+  const clientOptions: CosmosClientOptions = {
    endpoint: account.documentEndpoint!,
-    key: keys.primaryMasterKey,
-  });
+  };
+
+  const nosqlAccountRbacToken = process.env.NOSQL_TESTACCOUNT_TOKEN;
+  if (nosqlAccountRbacToken) {
+    clientOptions.tokenProvider = async (): Promise<string> => {
+      const AUTH_PREFIX = `type=aad&ver=1.0&sig=`;
+      const authorizationToken = `${AUTH_PREFIX}${nosqlAccountRbacToken}`;
+      return authorizationToken;
+    };
+  } else {
+    const keys = await armClient.databaseAccounts.listKeys(resourceGroupName, accountName);
+    clientOptions.key = keys.primaryMasterKey;
+  }
+
+  const client = new CosmosClient(clientOptions);
  const { database } = await client.databases.createIfNotExists({ id: databaseId });
  try {
    const { container } = await database.containers.createIfNotExists({