CosmosDB blocking Managed Identity principal for readMetadata action- error : Request blocked by Auth cosmosDBTest : Request is blocked because principal [Actual Managed Identity Object Id] does not have required RBAC permissions to perform action [Micros

Question

Hi,

I am having CosmosDB and Managed Identity created in same resource group. I have added Reader, Contributor Roles from Managed Identity - Azure Roles Assignments from left panel of azure portal. But still I am getting following error:

Request blocked by Auth cosmosDBTest : Request is blocked because principal [Actual Managed Identity Object Id] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource.

Thanks!

Answer 1

@aditya kature Thank you for reaching gout.

There is restriction on RBAC using the CosmosClient Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn Create Database operations are not supported.

The actual metadata requests allowed by the Microsoft.DocumentDB/databaseAccounts/readMetadata action depend on the scope that the action is assigned to:

Expand table

ScopeRequests allowed by the actionAccount• Listing the databases under the account• For each database under the account, the allowed actions at the database scopeAccount• Listing the databases under the account • For each database under the account, the allowed actions at the database scopeDatabase• Reading database metadata • Listing the containers under the database • For each container under the database, the allowed actions at the container scopeContainer• Reading container metadata • Listing physical partitions under the container • Resolving the address of each physical partitionYou could create custom role definitions

When creating a custom role definition, you need to provide:

• The name of your Azure Cosmos DB account.
• The resource group containing your account.
• The type of the role definition: CustomRole.
• The name of the role definition.
• A list of actions that you want the role to allow.
• One or multiple scope(s) that the role definition can be assigned at; supported scopes are:
  • / (account-level),
    • /dbs/<database-name> (database-level),
      • /dbs/<database-name>/colls/<container-name> (container-level).

Note

The operations described are available in:

• Azure PowerShell: Az.CosmosDB version 1.2.0 or higher
• Azure CLI: version 2.24.0 or higher

Using Azure PowerShell

Create a role named MyReadOnlyRole that only contains read actions:

PowerShellCopy

$resourceGroupName = "<myResourceGroup>" $accountName = "<myCosmosAccount>" New-AzCosmosDBSqlRoleDefinition -AccountName $accountName ` -ResourceGroupName $resourceGroupName ` -Type CustomRole -RoleName MyReadOnlyRole ` -DataAction @( ` 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed') ` -AssignableScope "/"

Create a role named MyReadWriteRole that contains all actions:

PowerShellCopy

New-AzCosmosDBSqlRoleDefinition -AccountName $accountName ` -ResourceGroupName $resourceGroupName ` -Type CustomRole -RoleName MyReadWriteRole ` -DataAction @( ` 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*') ` -AssignableScope "/"