Share via

[Cosmos DB] Randomly get unauthorized using primary password

Sungho Hong 1 Reputation point
2020-08-19T19:20:13.537+00:00

We've been receiving the unauthorized status upon connecting to the cosmos db when using primary read-only password, and this happens randomly. We also tried with the secondary password, the same issue is happening that it sometimes connects to the db or fails due to being unauthorized.

According to the exception:

The MAC signature found in the HTTP request is not the same as the computed signature.

Any help will be appreciated.

[Updated]

Thanks, @KalyanChanumolu-MSFT for comments. However Neither two scenarios are applicable to our environments. We have different services using the Cosmos DB via Cassandra APIs, and these unauthorized exceptions cause our services unable to start. Some automatically are restored after plenty of restarts for few hours, while some of them are still experiencing unauthorized exceptions.

According the exception, we are using SDK: Windows/10.0.14393 cosmos-netstandard-sdk/3.3.2. Currently, our db has been deployed to the east us 2 only.

I feel like this is related to https://learn.microsoft.com/en-us/azure/cosmos-db/troubleshoot-unauthorized#race-condition-with-create-container but it doesn't really state what the solution is.

We could try to do the key rotation, but it requires us to update the multiple deployments across different clusters which is very time consuming. Even after the key rotation, we really concern that the same issue might come back in the future where we need another key rotation.

According to the troubleshoot, the most common scenario of the unauthorized exceptions is the key not being properly rotated. I'm wondering how the cosmos interprets whether it's currently under the key rotation. Does it assume it's under the key rotation if the secondary key starts being used?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,542 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KalyanChanumolu-MSFT 8,316 Reputation points
    2020-08-20T05:41:49.267+00:00

    @Sungho Hong Welcome to the Microsoft Q&A forums.

    From previous issues and experience, this error usually occurs in 2 scenarios

    1. When the system clock time is different from the one returned by the error message. Resolution: Please check if the system clock time (the machine from where the request is being made) and the time in the exception message are significantly different and update the system time. This is a requirement even if you are using the CosmosDB emulator.
    2. When a Read-Only key is used for Write operations Resolution: Please check if there are any instances where a ReadOnly Cosmos client is being wrongly used to make a write operation.

    A few more scenarios are documented here

    If these scenarios do not apply to you, please post the SDK version you are using, the region your CosmosDb is deployed in along with a few activity id's (from the response headers) and we can troubleshoot further.

    ----------

    If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.