Using Managed Identity for Cassandra

Shreyas Ketkar 40 Reputation points Microsoft External Staff
2026-05-14T05:14:37.4666667+00:00

Hi

We are using Cassandra in our project with a requirement for use of managed identity.

When we were handed this project over, we were told that because Cassandra DB does not support managed identity, we cannot use Cassandra to satisfy this and we must use Native Cosmos. However, when trying to migrate to Native Cosmos, we encountered many issues with maintaining consistency.

We just wanted to check whether there is or was any impediment to using Cassandra to resolve this SFI item requiring managed identity, and whether it still exists.

Thanks in advance.

Azure Cosmos DB
Azure Cosmos DB

An Azure NoSQL database service for app development.


Answer accepted by question author

Pilladi Padma Sai Manisha 10,770 Reputation points Microsoft External Staff Moderator
2026-05-14T05:35:43.1833333+00:00

Hi Shreyas Ketkar,
Thankyou for reaching microsoft Q&A!
Currently, Azure Cosmos DB for Apache Cassandra does not support native token-based Azure AD / Managed Identity authentication at the Cassandra protocol (CQL) data plane in the same way the SQL (Core) API supports direct Entra ID authentication.

In practice, Cassandra clients still typically authenticate using Cosmos DB keys/connection strings when establishing CQL sessions.

What customers commonly do instead is:

  • Use a system-assigned or user-assigned Managed Identity for the application

Store Cosmos DB keys securely in Azure Key Vault or retrieve them programmatically Use Managed Identity to access Key Vault or management-plane operations securely Pass the retrieved key to the Cassandra driver at runtime

This approach removes hard-coded secrets from the application, but it is not the same as native token-based authentication directly between the Cassandra driver and Cosmos DB.

So the limitation is not with Managed Identity itself, but rather that the Cassandra API currently does not offer full first-class Entra ID authentication at the CQL protocol layer.

Because of this, some customers evaluate the SQL (Core) API or other APIs when strict token-only authentication requirements exist. However, migrating APIs can introduce application compatibility and consistency-model considerations, as you observed.

As alternatives today, you can consider:

Using Managed Identity together with Key Vault for secure secret retrieval Using Service Connector to simplify secret management and connection configuration Continuing with Cassandra API if preserving Cassandra compatibility and consistency behavior is more important than native token-based authentication

References:

Azure Cosmos DB managed identities documentation Service Connector for Cosmos Cassandra Azure Cosmos DB Cassandra RBAC documentation

Thanks.

Was this answer helpful?

2 people found this answer helpful.
0 comments No comments

Answer accepted by question author

Sina Salam 30,486 Reputation points Volunteer Moderator
2026-05-16T15:11:27.3866667+00:00

Hello Shreyas Ketkar,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having challenges using Managed Identity for Cassandra.

The best practices say:

“Cassandra DB does not support managed identity, therefore you must migrate to native Cosmos DB” is not accurate for Azure Cosmos DB for Apache Cassandra based on current Microsoft documentation. Azure Cosmos DB for Apache Cassandra now has a documented Microsoft Entra ID/RBAC path with Cassandra-specific data-plane role definitions and role assignments. - https://learn.microsoft.com/en-us/azure/cosmos-db/cassandra/how-to-connect-role-based-access-control, https://learn.microsoft.com/en-us/azure/cosmos-db/cassandra/reference-data-plane-security, and https://learn.microsoft.com/en-us/cli/azure/cosmosdb/cassandra/role/assignment?view=azure-cli-latest

My best advice for you is to keep the Cassandra API account, enable the application’s managed identity, disable key-based authentication, assign the managed identity the correct Cosmos DB Cassandra data-plane role, and verify with az cosmosdb cassandra role assignment list. Migration to Cosmos DB NoSQL API should only be considered for application/platform reasons, not as the primary solution for managed identity.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.


Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Was this answer helpful?

1 person found this answer helpful.
0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.