Using Managed Identity for Cassandra

Hi Shreyas Ketkar,
Thankyou for reaching microsoft Q&A!
Currently, Azure Cosmos DB for Apache Cassandra does not support native token-based Azure AD / Managed Identity authentication at the Cassandra protocol (CQL) data plane in the same way the SQL (Core) API supports direct Entra ID authentication.

In practice, Cassandra clients still typically authenticate using Cosmos DB keys/connection strings when establishing CQL sessions.

What customers commonly do instead is:

• Use a system-assigned or user-assigned Managed Identity for the application

Store Cosmos DB keys securely in Azure Key Vault or retrieve them programmatically Use Managed Identity to access Key Vault or management-plane operations securely Pass the retrieved key to the Cassandra driver at runtime

This approach removes hard-coded secrets from the application, but it is not the same as native token-based authentication directly between the Cassandra driver and Cosmos DB.

So the limitation is not with Managed Identity itself, but rather that the Cassandra API currently does not offer full first-class Entra ID authentication at the CQL protocol layer.

Because of this, some customers evaluate the SQL (Core) API or other APIs when strict token-only authentication requirements exist. However, migrating APIs can introduce application compatibility and consistency-model considerations, as you observed.

As alternatives today, you can consider:

Using Managed Identity together with Key Vault for secure secret retrieval Using Service Connector to simplify secret management and connection configuration Continuing with Cassandra API if preserving Cassandra compatibility and consistency behavior is more important than native token-based authentication

References:

Azure Cosmos DB managed identities documentation Service Connector for Cosmos Cassandra Azure Cosmos DB Cassandra RBAC documentation

Thanks.

Hello Shreyas Ketkar,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having challenges using Managed Identity for Cassandra.

The best practices say:

“Cassandra DB does not support managed identity, therefore you must migrate to native Cosmos DB” is not accurate for Azure Cosmos DB for Apache Cassandra based on current Microsoft documentation. Azure Cosmos DB for Apache Cassandra now has a documented Microsoft Entra ID/RBAC path with Cassandra-specific data-plane role definitions and role assignments. - https://learn.microsoft.com/en-us/azure/cosmos-db/cassandra/how-to-connect-role-based-access-control, https://learn.microsoft.com/en-us/azure/cosmos-db/cassandra/reference-data-plane-security, and https://learn.microsoft.com/en-us/cli/azure/cosmosdb/cassandra/role/assignment?view=azure-cli-latest

My best advice for you is to keep the Cassandra API account, enable the application’s managed identity, disable key-based authentication, assign the managed identity the correct Cosmos DB Cassandra data-plane role, and verify with az cosmosdb cassandra role assignment list. Migration to Cosmos DB NoSQL API should only be considered for application/platform reasons, not as the primary solution for managed identity.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.