Azure Bicep script to create role assignment in Azure Cosmos DB

Question

Azure Bicep script to create role assignment in Azure Cosmos DB

Shivaji Shitole 125

Hello,

We are creating Bicep script to provision of Azure Logic App. This logic app will connect to Azure Cosmos DB and create/update document data using upsert operation.

Logic app will create connection to Cosmos DB using Managed Identity connection option. System assigned managed identity will be used.

Logic app is created and system assigned identity is enabled using bicep script.

Cosmos DB "Cosmos DB Built-in Data Contributor" built in role will be used to allow upsert operation. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions

We are following below script for role assignment in cosmos db with below details:

resource symbolicname 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-10-15' = {
  name: 'string'
  parent: cosmosDB
  properties: {
    principalId: 'string'
    roleDefinitionId: 'string'
    scope: '/'
  }
}

Where principald is Logic app identity id.

We tried the below options to get the roleDefinitionId but it's failed:

Set roleDefinitionId as '/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.DocumentDB/databaseAccounts/xxxx/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
Used existing option to read roles:

resource symbolicname 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-04-15' existing= {

name: 'Cosmos DB Built-in Data Contributor'

}

Used existing option to read roles:

resource symbolicname 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-04-15' existing= {

name: '00000000-0000-0000-0000-000000000002'

}

Please guide or share the script to get the roleDefinitionId for built in "Cosmos DB Built-in Data Contributor" role

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-06-03T03:43:55.5+00:00

Hi @Shivaji Shitole ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-06-03T03:43:55.5+00:00

Hi @Shivaji Shitole ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

VasimTamboli 5,215

To assign the "Cosmos DB Built-in Data Contributor" role to a Logic App's system-assigned managed identity in Azure Cosmos DB using an Azure Bicep script, you can follow these steps:

Retrieve the roleDefinitionId for the "Cosmos DB Built-in Data Contributor" role. You can use the Azure CLI or Azure PowerShell to get the role definition ID.

Using Azure CLI:

Bash

az cosmosdb sql role definition list --account-name <cosmos-db-account-name> --resource-group <resource-group-name> --query "[?roleName=='Cosmos DB Built-in Data Contributor'].id | [0]"

Using Azure PowerShell:

(Get-AzRoleDefinition | Where-Object {$_.Name -eq "Cosmos DB Built-in Data Contributor"}).Id

Once you have the roleDefinitionId, you can use it in your Bicep script to create the role assignment:

Bicep

resource cosmosDBRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-10-15' = {
  name: 'cosmosDBRoleAssignment'
  parent: cosmosDB
  properties: {
    principalId: '<logic-app-system-assigned-identity-object-id>'
    roleDefinitionId: '<role-definition-id>'
    scope: '/'
  }
}


Replace 
Make sure you have the necessary permissions to create role assignments in Azure Cosmos DB.

Shivaji Shitole 125

Thanks Vasim. This helps me to assign the role in cosmos Db using Bicep script.

Now, I am facing different challenge in below scripts. It is used to create logic app and once it is created, immediately calling next module to assign the role.

When this runs first time, following error message is coming:

"message": "The provided principal ID [XXXXX] was not found in the AAD tenant(s) [XXXXX] which are associated with the customer's subscription.\r\nActivityId: XXXXXX, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0"

If same script run second time, then it works as expected. Looks like, Logic app managed principal id cannot be used or not ready to use immediately.

//logicApp.bicep

//Create Logic App 
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: resourceName
  location: location
  tags: applicationTags
  dependsOn: [ logicAppApiConnection ]
  identity: {
    type: 'SystemAssigned'
  }
 properties: {
    state: 'Enabled'
	 definition: {
	 ......
	 
	 
	 
	 ......
	 }
	 parameters: {
      '$connections': {
        value: {
          documentdb_1: {
            connectionId: logicAppApiConnection.id
            connectionName: cosmosDocumentDbConnetcionName
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
            id: logicAppApiConnection.properties.api.id
          }
        }
      }
    }
  }
 }


//Assigne role in cosmos db
module comosDbRoleAssignment 'cosmosDbRoleAssignment.bicep' = {
  name: 'cosmosDbRoleAssignmentForShareprice'
  dependsOn:[logicApp]
  params: {
    cosmosDbAccountName: cosmosDbAccountName
    principalId: 
logicApp.identity.principalId
  
   roleId:'00000000-0000-0000-0000-000000000002'
  }
}

//cosmosDbRoleAssignment.bicep

param cosmosDbAccountName string
param principalId string
param roleId string
 
resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-03-15' existing = {
  name: cosmosDbAccountName
}

//Assign the role
 resource cosmosDBRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-10-15' = {
  name:  guid(resourceGroup().id, principalId)
  parent: cosmosDbAccount
  properties: {
    principalId: principalId    
    roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDbAccount.name}/sqlRoleDefinitions/${roleId}'
    scope: cosmosDbAccount.id
  }
}

When this runs first time, following error message is coming:

"message": "The provided principal ID [XXXXX] was not found in the AAD tenant(s) [XXXXX] which are associated with the customer's subscription.\r\nActivityId: XXXXXX, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0"

If same script run second time, then it works as expected. Looks like, Logic app managed principal id cannot be used or not ready to use immediately.

Do you suggest any way to overcome this issue?

Thanks in advance.

Share via

Azure Bicep script to create role assignment in Azure Cosmos DB

0 additional answers

Your answer