Which role has "Microsoft.DocumentDB/databaseAccounts/readMetadata" permission? This RBAC permission is required for Managed Identity to access cosmos DB

Pramita Dhakal 20 Reputation points Microsoft Employee
2024-05-21T16:19:06.5133333+00:00

I've attempted to establish a connection to Cosmos DB from an Azure function using a user-managed identity. However, I've encountered difficulties, as I couldn't find a role that grants the required permission Microsoft.DocumentDB/databaseAccounts/readMetadata.

I've attempted assigning various roles, including Owner, Contributor, Cosmos DB Account Reader Role, and Cosmos DB Account Contributor Role, but none of these seem to include the aforementioned permission or allow the connection to be established.

Here is the code snippet I've been using to connect:

var clientId = "****";

var cosmosDbEndpoint = new Uri("https://****:443/");

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId });

var cosmosClient = new CosmosClient(cosmosDbEndpoint.ToString(), credential);

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,502 questions
0 comments No comments
{count} votes

Accepted answer
  1. Oury Ba-MSFT 17,156 Reputation points Microsoft Employee
    2024-05-31T19:11:43.6+00:00

    @Pramita Dhakal Thank you for reaching out.

    It seems you’re having trouble connecting to Cosmos DB from an Azure function using a user-managed identity. There is restriction on RBAC using the CosmosClient Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn Create Database operations are not supported.This permission model covers only database operations that involve reading and writing data. It does not cover any kind of management operations on management resources, including:

    • Create/Replace/Delete Database
    • Create/Replace/Delete Container
    • Read/Replace Container Throughput
    • Create/Replace/Delete/Read Stored Procedures
    • Create/Replace/Delete/Read Triggers
    • Create/Replace/Delete/Read User Defined Functions

     Regards,

    Oury

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Babafemi Bulugbe 2,755 Reputation points MVP
    2024-05-21T17:25:30.0733333+00:00

    Hello Pramita Dhakal,

    Thank you for posting your question in the Microsoft Q&A Community.

    From my understanding, the managed Identity attached to your Azure Functions doesn't have the necessary permission on the Cosmos DB.

    To resolve this, you need to create a custom role with the required permission (Microsoft.DocumentDB/databaseAccounts/readMetadata) for this purpose. Alternatively, create a "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" and assign these roles to the managed Identity.

    User's image

    Get more information about these roles by following this link

    https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions

    Follow this link to get more information on how to create a custom role https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

    You can also create these roles using PowerShell by following steps here

    https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#role-assignments

    User's image

    Let me know if further assistance is needed.

    Babafemi

    1 person found this answer helpful.