Which .NET SDK to Use for Creating Database or Container in CosmosDB

Question

Hey All,

I am developing an application that utilizes CosmosDB, running as a container in Azure App Service, and have opted to implement RBAC roles using the Managed Identity of the App Service.

Following the sample code from cosmos-db/nosql/how-to-create-container#dotnet-sql, I am attempting to create a database and container through my application. The implementation uses the Microsoft.Azure.Cosmos SDK with DefaultAzureCredential for the CosmosClient. The Managed Identity has been assigned the Cosmos DB Operator and DocumentDB Account Contributor roles on the resource, yet I consistently receive the following error:

Forbidden (403); Substatus: 5300; Request blocked by Auth cosmos-eus2-01 : The given request [POST /dbs] cannot be authorized by AAD token

While the code functions correctly when using the Account Key to create the CosmosClient, I prefer not to use that method.

The provided sample code from /cosmos-db/nosql/security/how-to-grant-control-plane-role-based-access utilizes the Azure.ResourceManager SDK, which is also referenced in a Stack Overflow discussion.

Can someone clarify if control plane operations, such as creating a database or container, cannot be performed using the Microsoft.Azure.Cosmos SDK with AAD credentials? Or is there a specific RBAC role that may be missing?