How to check what service is writing to Azure Cosmos Db?

Question

We have a large collection within an Azure Cosmos database using the SQL API. We were certain this db was not being used anymore, however we have just discovered that documents within that collection are being updated frequently but we are unsure which of our many services is writing to it.

Is there an easy way of determining what service is writing/updating the documents within a collection inside of Azure portal? I have tried multiple different filter combinations in the activity log but can't find anything.

question from:https://stackoverflow.com/questions/65648415/how-to-check-what-service-is-writing-to-azure-cosmos-db

Answer 1

Because Cosmos DB uses master key to provide access to data there is no way to view who is accessing your data. One way you can provide details on who accesses data is to lock down the data plane by restricting RBAC roles that can access the master keys. This article describes one way of doing that. Once that is locked down you can then Audit control plane logs to see what client applications are accessing the data.

However, do actually implement this would take a fair amount of work to redesign how master keys are accessed by your client applications such that every client application would need to be redesigned, thus negating the benefit of doing such a thing.