azure-cosmos-db-py
oleh microsoft
Bangun layanan Azure Cosmos DB NoSQL dengan Python/FastAPI mengikuti pola tingkat produksi. Gunakan saat mengimplementasikan pengaturan klien basis data dengan otentikasi gandaβ¦
npx skills add https://github.com/microsoft/skills --skill azure-cosmos-db-pyCosmos DB Service Implementation
Build production-grade Azure Cosmos DB NoSQL services following clean code, security best practices, and TDD principles.
Installation
pip install azure-cosmos azure-identity
Environment Variables
COSMOS_ENDPOINT=https://<account>.documents.azure.com:443/ # Required for all auth methods
COSMOS_DATABASE_NAME=<database-name> # Required for all auth methods
COSMOS_CONTAINER_ID=<container-id> # Required for all auth methods
# For emulator only (not production)
COSMOS_KEY=<emulator-key> # Only required for key-based auth or emulator
AZURE_TOKEN_CREDENTIALS=prod # Required only if DefaultAzureCredential is used in production
Authentication & Lifecycle
π Two rules apply to every code sample below:
- Prefer
DefaultAzureCredential. It works locally (Azure CLI / VS Code / Developer CLI) and in Azure (managed identity, workload identity) with no code change. Avoid connection strings, account/API keys β they bypass Entra audit and rotation.
- Local dev:
DefaultAzureCredentialworks as-is.- Production: set
AZURE_TOKEN_CREDENTIALS=prod(orAZURE_TOKEN_CREDENTIALS=<specific_credential>) to constrain the credential chain to production-safe credentials.- Wrap every client in a context manager so HTTP transports, sockets, and token caches are released deterministically:
- Sync:
with <Client>(...) as client:- Async:
async with <Client>(...) as client:andasync with DefaultAzureCredential() as credential:(fromazure.identity.aio)Snippets may abbreviate this setup, but production code should always follow both rules.
DefaultAzureCredential (preferred):
import os
from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
# Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
credential = DefaultAzureCredential(require_envvar=True)
# Or use a specific credential directly in production:
# See https://learn.microsoft.com/python/api/overview/azure/identity-readme?view=azure-python#credential-classes
# credential = ManagedIdentityCredential()
with CosmosClient(
url=os.environ["COSMOS_ENDPOINT"],
credential=credential
) as client:
# Use client here (see following sections for operations)
...
Emulator (local development):
from azure.cosmos import CosmosClient
with CosmosClient(
url="https://localhost:8081",
credential=os.environ["COSMOS_KEY"],
connection_verify=False
) as client:
# Use client here (see following sections for operations)
...
Architecture Overview
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FastAPI Router β
β - Auth dependencies (get_current_user, get_current_user_required)
β - HTTP error responses (HTTPException) β
ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β Service Layer β
β - Business logic and validation β
β - Document β Model conversion β
β - Graceful degradation when Cosmos unavailable β
ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β Cosmos DB Client Module β
β - Singleton container initialization β
β - Dual auth: DefaultAzureCredential (Azure) / Key (emulator) β
β - Async wrapper via run_in_threadpool β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Quick Start
1. Client Module Setup
Create a singleton Cosmos client with dual authentication:
# db/cosmos.py
from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential
from starlette.concurrency import run_in_threadpool
_cosmos_container = None
def _is_emulator_endpoint(endpoint: str) -> bool:
return "localhost" in endpoint or "127.0.0.1" in endpoint
async def get_container():
global _cosmos_container
if _cosmos_container is None:
# Singleton: client lives for the FastAPI app lifetime; close in a lifespan shutdown handler.
if _is_emulator_endpoint(settings.cosmos_endpoint):
client = CosmosClient(
url=settings.cosmos_endpoint,
credential=settings.cosmos_key,
connection_verify=False
)
else:
client = CosmosClient(
url=settings.cosmos_endpoint,
credential=DefaultAzureCredential()
)
db = client.get_database_client(settings.cosmos_database_name)
_cosmos_container = db.get_container_client(settings.cosmos_container_id)
return _cosmos_container
Full implementation: See references/client-setup.md
2. Pydantic Model Hierarchy
Use five-tier model pattern for clean separation:
class ProjectBase(BaseModel): # Shared fields
name: str = Field(..., min_length=1, max_length=200)
class ProjectCreate(ProjectBase): # Creation request
workspace_id: str = Field(..., alias="workspaceId")
class ProjectUpdate(BaseModel): # Partial updates (all optional)
name: Optional[str] = Field(None, min_length=1)
class Project(ProjectBase): # API response
id: str
created_at: datetime = Field(..., alias="createdAt")
class ProjectInDB(Project): # Internal with docType
doc_type: str = "project"
3. Service Layer Pattern
class ProjectService:
def _use_cosmos(self) -> bool:
return get_container() is not None
async def get_by_id(self, project_id: str, workspace_id: str) -> Project | None:
if not self._use_cosmos():
return None
doc = await get_document(project_id, partition_key=workspace_id)
if doc is None:
return None
return self._doc_to_model(doc)
Full patterns: See references/service-layer.md
Core Principles
Security Requirements
- RBAC Authentication: Use
DefaultAzureCredentialin Azure β never store keys in code - Emulator-Only Keys: Hardcode the well-known emulator key only for local development
- Parameterized Queries: Always use
@parametersyntax β never string concatenation - Partition Key Validation: Validate partition key access matches user authorization
Clean Code Conventions
- Single Responsibility: Client module handles connection; services handle business logic
- Graceful Degradation: Services return
None/[]when Cosmos unavailable - Consistent Naming:
_doc_to_model(),_model_to_doc(),_use_cosmos() - Type Hints: Full typing on all public methods
- CamelCase Aliases: Use
Field(alias="camelCase")for JSON serialization
TDD Requirements
Write tests BEFORE implementation using these patterns:
@pytest.fixture
def mock_cosmos_container(mocker):
container = mocker.MagicMock()
mocker.patch("app.db.cosmos.get_container", return_value=container)
return container
@pytest.mark.asyncio
async def test_get_project_by_id_returns_project(mock_cosmos_container):
# Arrange
mock_cosmos_container.read_item.return_value = {"id": "123", "name": "Test"}
# Act
result = await project_service.get_by_id("123", "workspace-1")
# Assert
assert result.id == "123"
assert result.name == "Test"
Full testing guide: See references/testing.md
Best Practices
- This skill uses async throughout (
azure.cosmos.aio); do not mix with the syncazure.cosmosclient. Keep the whole FastAPI request path async β don't pair sync Cosmos calls with async handlers. - Always use context managers for clients and async credentials. Wrap the client in
async with CosmosClient(...) as client:(or manage its lifetime via FastAPI lifespan and close it explicitly). For asyncDefaultAzureCredentialfromazure.identity.aio, also useasync with credential:so tokens and transports are cleaned up.
Reference Files
| File | When to Read |
|---|---|
| references/client-setup.md | Setting up Cosmos client with dual auth, SSL config, singleton pattern |
| references/service-layer.md | Implementing full service class with CRUD, conversions, graceful degradation |
| references/testing.md | Writing pytest tests, mocking Cosmos, integration test setup |
| references/partitioning.md | Choosing partition keys, cross-partition queries, move operations |
| references/error-handling.md | Handling CosmosResourceNotFoundError, logging, HTTP error mapping |
Template Files
| File | Purpose |
|---|---|
| assets/cosmos_client_template.py | Ready-to-use client module |
| assets/service_template.py | Service class skeleton |
| assets/conftest_template.py | pytest fixtures for Cosmos mocking |
Quality Attributes (NFRs)
Reliability
- Graceful degradation when Cosmos unavailable
- Retry logic with exponential backoff for transient failures
- Connection pooling via singleton pattern
Security
- Zero secrets in code (RBAC via DefaultAzureCredential)
- Parameterized queries prevent injection
- Partition key isolation enforces data boundaries
Maintainability
- Five-tier model pattern enables schema evolution
- Service layer decouples business logic from storage
- Consistent patterns across all entity services
Testability
- Dependency injection via
get_container() - Easy mocking with module-level globals
- Clear separation enables unit testing without Cosmos
Performance
- Partition key queries avoid cross-partition scans
- Async wrapping prevents blocking FastAPI event loop
- Minimal document conversion overhead
Lebih banyak skill dari microsoft
oss-growth
microsoft
Persona peretas pertumbuhan OSS
official
microsoft-foundry
microsoft
Menyebarkan, mengevaluasi, dan mengelola agen Foundry secara menyeluruh: pembuatan Docker, push ACR, pembuatan agen yang dihosting/dengan prompt, memulai kontainer, evaluasi batch, evaluasi berkelanjutan, alur kerja pengoptimal prompt, agent.yaml, kurasi kumpulan data dari jejak. GUNAKAN UNTUK: menyebarkan agen ke Foundry, agen yang dihosting, membuat agen, memanggil agen, mengevaluasi agen, menjalankan evaluasi batch, evaluasi berkelanjutan, pemantauan berkelanjutan, status evaluasi berkelanjutan, mengoptimalkan prompt, meningkatkan prompt, pengoptimal prompt, mengoptimalkan instruksi agen, meningkatkan agen...
officialdevelopmentdevops
azure-ai
microsoft
Gunakan untuk Azure AI: Search, Speech, OpenAI, Document Intelligence. Membantu pencarian, pencarian vektor/hibrida, ucapan-ke-teks, teks-ke-ucapan, transkripsi, OCR. KAPAN: AI Search, pencarian kueri, pencarian vektor, pencarian hibrida, pencarian semantik, ucapan-ke-teks, teks-ke-ucapan, transkripsi, OCR, konversi teks ke ucapan.
officialdevelopmentapi
azure-deploy
microsoft
Jalankan deployment Azure untuk aplikasi yang SUDAH DISIAPKAN dan memiliki file .azure/deployment-plan.md serta infrastruktur yang sudah ada. JANGAN gunakan skill ini saat pengguna meminta untuk MEMBUAT aplikasi baru β gunakan azure-prepare sebagai gantinya. Skill ini menjalankan perintah azd up, azd deploy, terraform apply, dan az deployment dengan pemulihan kesalahan bawaan. Membutuhkan .azure/deployment-plan.md dari azure-prepare dan status tervalidasi dari azure-validate. KAPAN: "jalankan azd up", "jalankan azd deploy", "jalankan deployment",...
officialdevopsaws
azure-storage
microsoft
Layanan Azure Storage termasuk Blob Storage, File Shares, Queue Storage, Table Storage, dan Data Lake. Menjawab pertanyaan tentang tingkat akses penyimpanan (hot, cool, cold, archive), kapan menggunakan setiap tingkat, dan perbandingan tingkat. Menyediakan penyimpanan objek, berbagi file SMB, pengiriman pesan asinkron, NoSQL key-value, dan analitik big data. Termasuk manajemen siklus hidup. GUNAKAN UNTUK: blob storage, file shares, queue storage, table storage, data lake, unggah file, unduh blob, akun penyimpanan, tingkat akses,...
officialdevelopmentdatabase
azure-diagnostics
microsoft
Debug masalah produksi Azure menggunakan AppLens, Azure Monitor, resource health, dan triase aman. KAPAN: debug masalah produksi, troubleshoot app service, CPU tinggi app service, kegagalan deployment app service, troubleshoot container apps, troubleshoot functions, troubleshoot AKS, kubectl tidak bisa terhubung, kegagalan kube-system/CoreDNS, pod pending, crashloop, node tidak siap, kegagalan upgrade, analisis log, KQL, insights, kegagalan image pull, masalah cold start, kegagalan health probe,...
officialdevopsdevelopment
azure-prepare
microsoft
Siapkan aplikasi Azure untuk deployment (infra Bicep/Terraform, azure.yaml, Dockerfiles). Gunakan untuk membuat/memodernisasi atau membuat+men-deploy; bukan untuk migrasi lintas-cloud (gunakan azure-cloud-migrate). JANGAN GUNAKAN UNTUK: aplikasi copilot-sdk (gunakan azure-hosted-copilot-sdk). KAPAN: "membuat aplikasi", "membangun aplikasi web", "membuat API", "membuat API HTTP serverless", "membuat frontend", "membuat backend", "membangun layanan", "memodernisasi aplikasi", "memperbarui aplikasi", "menambahkan autentikasi", "menambahkan caching", "hosting di Azure", "membuat dan...
officialdevelopmentdevops
azure-validate
microsoft
Validasi pra-penyebaran untuk kesiapan Azure. Lakukan pemeriksaan mendalam pada konfigurasi, infrastruktur (Bicep atau Terraform), penetapan peran RBAC, izin identitas terkelola, dan prasyarat sebelum menyebarkan. KAPAN: validasi aplikasi saya, periksa kesiapan penyebaran, jalankan pemeriksaan awal, verifikasi konfigurasi, periksa apakah siap untuk menyebarkan, validasi azure.yaml, validasi Bicep, uji sebelum menyebarkan, pecahkan kesalahan penyebaran, validasi Azure Functions, validasi function app, validasi serverless...
officialdevopstesting