RBAC permission issue while accessing cosmos db using managed identity

Question

RBAC permission issue while accessing cosmos db using managed identity

siddharth bansal 346

I want to read/write data in Cosmos DB from azure function, added code in azure functions(c#) to access cosmos db using managed identity ,role for azure function in Cosmos db is Document db Account Contributor & Cosmos DB Account Reader role & As per the microsoft document ,readmetadata is included in Data Contributor role but still getting below error :

Response status code does not indicate success: Forbidden (403); Substatus: 5301; ActivityId:<>; Reason: (Request blocked by Auth

2 answers

Your answer

Answer 1

TP 117.2K

Hi Siddharth,

Please confirm that you have assigned Cosmos DB Built-in Data contributor to the managed identity using New-AzCosmosDBSqlRoleAssignment or az cosmosdb sql role assignment create . For example, you would use command similar to below :

New-AzCosmosDBSqlRoleAssignment -AccountName my-cosmosdb -ResourceGroupName cosmos-rg -RoleDefinitionId 00000000-0000-0000-0000-000000000002 -Scope "/" -PrincipalId "<object (principal) ID of managed identity>"

For reference, please see articles below:

Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

https://learn.microsoft.com/en-us/powershell/module/az.cosmosdb/new-azcosmosdbsqlroleassignment

Thanks.

-TP

TP 117.2K Reputation points

2023-06-29T14:06:07.7833333+00:00

@siddharth bansal Any updates?
siddharth bansal 346 Reputation points

2023-06-30T04:03:51.7633333+00:00

Hi,
i have used Access Control(IAM) blade to assign DocumentDB Account Contributor role

Answer 2

Ryan Hill 30,181 Microsoft Employee

Hi @siddharth bansal

The readMetadata is not included on those roles. This document actually walks you through creating a custom role for that permission and assigning it to your managed identity.

Create a role definition JSON file to create and the definition and role; then assign this role to your managed identity.

{
    "RoleName": "Read Azure Cosmos DB Metadata",
    "Type": "CustomRole",
    "AssignableScopes": ["/"],
    "Permissions": [{
        "DataActions": [
            "Microsoft.DocumentDB/databaseAccounts/readMetadata"
        ]
    }]
}

az cosmosdb sql role definition create --resource-group $resourceGroupName --account-name $cosmosName --body @definition.json

az cosmosdb sql role assignment create --resource-group $resourceGroupName --account-name $cosmosName --role-definition-name "Read Azure Cosmos DB Metadata" --principal-id $principal --scope $scope

Jake Hall 0 Reputation points

2024-06-02T06:17:30.89+00:00
Below is the JSON DocumentDB Account Contributor. It (looks like it) has a wildcard which should be able to preform all Microsoft.DocumentDb/databaseAccounts actions.

Microsoft.DocumentDb/databaseAccounts/*

I am facing similar problems with this. Why do I need to create a customer role when it the UI appears to give me the ability to assign roles on there

{

"assignableScopes": [

"/"

],

"description": "Lets you manage DocumentDB accounts, but not access to them.",

"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",

"name": "5bd9cd88-fe45-4216-938b-f97437e15450",

"permissions": [

{ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.DocumentDb/databaseAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" ], "notActions": [], "dataActions": [], "notDataActions": [] }

],

"roleName": "DocumentDB Account Contributor",

"roleType": "BuiltInRole",

"type": "Microsoft.Authorization/roleDefinitions"

}

Share via

RBAC permission issue while accessing cosmos db using managed identity

2 answers

Your answer