This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 96%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I am working on Azure functions with .net 5 and isolated mode which talks to CosmosDB and update data. I tried this from docs and I get below error.
Response status code does not indicate success: Forbidden (403); Substatus: 5301; ActivityId: 357bf25e-f0c9-4d3d-ac56-80eed3f247f4; Reason: (Request blocked by Auth testmafadb : Request is blocked because principal [4345d457-c7cf-4c5a-8ca2-d3e9a5a69869] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/].
@Dinesh Could you confirm your managed identity is assigned the DocumentDB Account Contributor Role? Also, it could take up to 30 minutes for role assignments to take effect.
Hello @Pramod Valavala , thanks for responding.
Yes I have assigned the DocumentDB account contributor role, still get the same error.
I am using Azure.Identity.DefaultAzureCredential to pass to cosmosclient constructor. Please let me know if I am missing any step.
Also, when I tried to create a custom role and I couldn't find the permission 'Microsoft.DocumentDB/databaseAccounts/readMetadata'. Is this
PS: I am trying to read data from the cosmos container.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 52%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED6%3C/text%3E%3C/svg%3E)
Did you ever get this resolved? I'm running into the same problem now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 40%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Same problem here...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 8%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Exact same problem
We figured out our problem. The DocumentDB Account Contributer role is not the correct role for SDK access. The roles necessary are "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor". They cannot be assigned from the UI. See https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac for the details.