Trouble reading cosmos DB account without key based authentication

Question

I recently disabled localauth (key based authentication) in Cosmos DB account. Now, I am not able to access it, neither through data explorer nor through https://cosmos.azure.com/?feature.enableAadDataPlane=true. I am getting this error: principal does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata]. I have already assigned myself Owner, Reader, Cosmos DB Account Reader Role and DocumentDB Account Contributor roles.Can you please share how to add necessary permissions. I do not see a built-in role for datactions through portal.

Answer 1

Hi Ajay,

Thanks for the question and using MS Q&A platform.

As per the error message it says that your principal [xxxxxxxxxx] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource means don't have proper permissions to read Metadata.

Grant the service principal proper permission. More specifically, create a role definition, and assign the role to the service principle via service principle object ID.

To resolve this issue, you need the role "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" created and assigned to the service principal.

Azure Cosmos DB exposes two built-in role definitions:

For more details, refer to Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account.

Hope this will help. Please let us know if any further queries.

---

• Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

Answer 2

Hi AJAY RAWAT •,

Welcome to Microsoft Q&A forum.

As I understand, you are having trouble reading Azure Cosmos DB account without Key Based auth.

Could you please confirm if you are using NoSQL Account?

You cannot use any Azure Cosmos DB data plane SDK to authenticate management operations with a Microsoft Entra identity. Instead, you must use Azure role-based access control through one of the following options:

• Azure Resource Manager templates (ARM templates)
• Azure PowerShell scripts
• Azure CLI scripts
• Azure management libraries available in:
  • .NET
    • Java
      • Python

Read Database and Read Container are considered metadata requests.

To use the Azure Cosmos DB role-based access control in your application, you have to update the way you initialize the Azure Cosmos DB SDK. Instead of passing your account's primary key, you have to pass an instance of a TokenCredential class. This instance provides the Azure Cosmos DB SDK with the context required to fetch a Microsoft Entra token on behalf of the identity you wish to use.

The way you create a TokenCredential instance is beyond the scope of this article. There are many ways to create such an instance depending on the type of Microsoft Entra identity you want to use (user principal, service principal, group etc.). Most importantly, your TokenCredential instance must resolve to the identity (principal ID) that you've assigned your roles to. You can find examples of creating a TokenCredential class:

• In .NET
• In Java
• In JavaScript
• In Python

For more details refer: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

NOTE:

As of now, only the NoSQL API is supported.

Azure portal support for role management isn't available yet.

The .NET V3, Java V4, JavaScript V3 and Python V4.3+ SDKs are currently supported.

Hope this helps. Let us know if you have queries.

Thanks