Missing Cosmos DB Built-in Data Reader and Cosmos DB Built-in Data Contributor roles in Access Control (IAM)

Jacek Przezdziecki (ext) 20 Reputation points
2023-02-01T15:31:32.8+00:00

I'm trying to assign roles to managed identity in Cosmos DB, through browser using Access Control (IAM).

Unfortunately two build in roles Cosmos DB Built-in Data Reader and Cosmos DB Built-in Data Contributor are not there.

How can I add managed identity in this roles in Cosmos DB through browser?

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
716 questions
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,691 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
838 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Vishesh Sanghvi 10 Reputation points
    2024-03-06T18:27:55.2166667+00:00

    If the built-in roles "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" are not available in the Azure portal's Access Control (IAM) blade for Cosmos DB, it's likely because these roles were not present in your subscription when it was created or because your subscription might not have the necessary permissions to assign these roles.

    However, you can still assign custom roles to the managed identity in Cosmos DB. Here's how you can do it through the Azure portal:

    1. Navigate to your Cosmos DB account in the Azure portal.
    2. Click on "Access Control (IAM)" in the left-hand menu.
    3. Click on the "+ Add" button at the top of the "Role assignments" tab.
    4. In the "Add role assignment" panel, select the "Role" dropdown and choose "Add custom role".
    5. Create a custom role that aligns with the permissions you want to assign to the managed identity. You can define the permissions using JSON definition or select from existing roles and customize them.
    6. Once you've defined the custom role, select the appropriate managed identity from the "Select" dropdown.
    7. Click "Save" to assign the custom role to the managed identity.

    Make sure that the custom role you define includes the necessary permissions for data reading or contribution based on your requirements.

    Keep in mind that assigning custom roles may require sufficient permissions in your subscription and may also involve understanding the specific permissions needed for Cosmos DB data operations.

    2 people found this answer helpful.
    0 comments No comments

  2. Charles Bernard 5 Reputation points Microsoft Employee
    2023-02-10T04:38:12.43+00:00

    You can assign the role to your SP, MI, Account using Azure PowerShell or Azure CLI as follow:

    For example, assigning the Cosmos DB Built-in Data Contributor to my ADF's system MI

    az cosmosdb sql role assignment create --account-name comos-db-no-sql --resource-group comsos-db-rg --scope "/" --principal-id xxxxx --role-definition-id /subscriptions/xxxxx/resourceGroups/comsos-db-rg/providers/Microsoft.DocumentDB/databaseAccounts/comos-db-no-sql/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002

    1 person found this answer helpful.

  3. GeethaThatipatri-MSFT 29,482 Reputation points Microsoft Employee
    2023-02-01T22:51:38.8233333+00:00

    Hi, @Jacek Przezdziecki (ext) Welcome to the Microsoft Q&A platform, thanks for posting the question

    You try checking from the CLi command and list the role, you can refer to this document for more information

    you can refer to this blog on how to add RBAC using Managed identity,

    User's image

    Please let me know if you are looking for any additional information.

    Regards

    Geetha


  4. Jacek Przezdziecki (ext) 20 Reputation points
    2023-02-02T16:30:45.4766667+00:00

    Awesome, but how to assign user to this role through UI?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.