Azure Cosmos DB
An Azure NoSQL database service for app development.
1,680 questions
Trouble Assigning Cosmos DB Operator Role to User-Assigned Managed Identity via ARM Template
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 99%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Djordje Djukic (AKVELON INC)
0
Reputation points Microsoft Vendor
Hi Azure Community,
I'm currently working on assigning the Cosmos DB Operator role to a user-assigned managed identity using an ARM template. Despite following the documentation, I'm encountering a "not found" error, and I'm not sure what I'm doing wrong.
Thanks in advance.
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2021-05-15",
"name": "[concat(variables('cosmosDbAccountName'), '/', guid('roleAssignment1', 'data'))]",,
"dependsOn": [
"[concat('Microsoft.DocumentDB/databaseAccounts/', variables('cosmosDbAccountName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', variables('cosmosDbAccountName'), '230815da-be43-4aae-9cb4-875f7bd000aa')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))).PrincipalId]",
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDbAccountName'))]"
}
}
{count} votes
-
Oury Ba-MSFT 19,571 Reputation points Microsoft Employee2024-06-07T23:35:34.7466667+00:00 @Djordje Djukic (AKVELON INC) Thank you for reaching out.
To address this scenario, you should set the
principalTypeproperty toServicePrincipalwhen creating the role assignment. You must also set theapiVersionof the role assignment to2018-09-01-previewor later.2022-04-01is the first stable version.The following template demonstrates:
- How to create a new managed identity service principal
- How to specify the
principalType - How to assign the Contributor role to that service principal at a resource group scope
To use the template, you must specify the following inputs:
The base name of the managed identity, or you can use the default stringIf you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. For example, if you create a new managed identity and then try to assign a role to that service principal in the same Azure Resource Manager template, the role assignment might fail. The reason for this failure is likely a replication delay. The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet.
To address this scenario, you should set the
principalTypeproperty toServicePrincipalwhen creating the role assignment. You must also set theapiVersionof the role assignment to2018-09-01-previewor later.2022-04-01is the first stable version.Please see example https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
-
Oury Ba-MSFT 19,571 Reputation points Microsoft Employee
2024-07-18T22:44:13.7566667+00:00 @Djordje Djukic (AKVELON INC) I haven't not heard back from you since my last comment above. Could you please share the status of the issue.
Regards,
Oury
Sign in to comment
Sign in to answer