Connecting Logic App Workflow to Cosmos DB as to load data

Question

Hi Team,

This question is asked as a follow up question from https://learn.microsoft.com/en-us/answers/questions/1419371/how-to-load-security-resources-in-kql-resource-gra. The current progress is that we set up a workflow in logic app to load the security recommendations in KQL to load to cosmos DB, but we are blocked when setting up the connection with Cosmos DB in the workflow with error message saying "Forbidden, because the principle does not have the RBAC to perform action".

We tried to add the RBAC to the Cosmos DB by following https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model which is shared in the above error message, however when we try to add the built-in roles recommended in the page ( 'Cosmos DB Built-in Data Reader' and 'Cosmos DB Built-in Data Contributor'), both of them are not populated when setting up the RBAC for Cosmos DB. We tried use privileged roles but still not working.

Can the team let us know how to get through this? Looks like we are so close to load the security recommendations out but still blocked by the last step. It will be great if we could learn some insights from this!

Answer 1

Hello @Sharon !

So if you have followed the instructions are the Created Roles listed using the folowing :

List the role definitions you've created to fetch their IDs:

Azure CLICopy

az cosmosdb sql role definition list --account-name $accountName --resource-group $resourceGroupName

If these are listed you just need to assign them by creating Role Assignments:

Create role assignments

You can associate built-in or custom role definitions with your Microsoft Entra identities. When creating a role assignment, you need to provide:

The name of your Azure Cosmos DB account.

The resource group containing your account.

The ID of the role definition to assign.

The principal ID of the identity that the role definition should be assigned to.

The scope of the role assignment; supported scopes are:

• / (account-level)
• /dbs/<database-name> (database-level)
• /dbs/<database-name>/colls/<container-name> (container-level)

The scope must match or be a subscope of one of the role definition's assignable scopes.

Note

If you want to create a role assignment for a service principal, make sure to use its Object ID as found in the Enterprise applications section of the Microsoft Entra ID portal blade.

Note

The operations described are available in:

• Azure PowerShell: Az.CosmosDB version 1.2.0 or higher
• Azure CLI: version 2.24.0 or higher

The rest is on the same link you have posted

I recommend to pay attention to details as the process needs careful execution on the code

If possible list the steps you are follwing !

---

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hello @Sharon !

Please verify :

Activate System Managed Identity on Azure Logic Apps

Assign to the Identity of Logic Apps the role of Cosmos DB Built-in Data Contributor with the instructions of the link

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model

Only via Az Cli or Powershell

You have to create a Built In Role Assignment to the Logic Apps Identity

---

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards