Share via

Which .NET SDK to Use for Creating Database or Container in CosmosDB

bmittathullil 20 Reputation points
2024-11-01T13:14:23.2733333+00:00

Hey All,

I am developing an application that utilizes CosmosDB, running as a container in Azure App Service, and have opted to implement RBAC roles using the Managed Identity of the App Service.

Following the sample code from cosmos-db/nosql/how-to-create-container#dotnet-sql, I am attempting to create a database and container through my application. The implementation uses the Microsoft.Azure.Cosmos SDK with DefaultAzureCredential for the CosmosClient. The Managed Identity has been assigned the Cosmos DB Operator and DocumentDB Account Contributor roles on the resource, yet I consistently receive the following error:

Forbidden (403); Substatus: 5300; Request blocked by Auth cosmos-eus2-01 : The given request [POST /dbs] cannot be authorized by AAD token

While the code functions correctly when using the Account Key to create the CosmosClient, I prefer not to use that method.

The provided sample code from /cosmos-db/nosql/security/how-to-grant-control-plane-role-based-access utilizes the Azure.ResourceManager SDK, which is also referenced in a Stack Overflow discussion.

Can someone clarify if control plane operations, such as creating a database or container, cannot be performed using the Microsoft.Azure.Cosmos SDK with AAD credentials? Or is there a specific RBAC role that may be missing?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,902 questions
Azure | Azure Startups
Accepted answer
  1. Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator
    2024-11-04T10:53:25.1566667+00:00

    Hi @bmittathullil,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    We would like to inform you that, control plane operations can be used to create databases and containers. Which require the use of the Azure.ResourceManager.CosmosDB client and not the Microsoft.Azure.Cosmos SDK. The Microsoft.Azure.Cosmos SDK with Azure AD credentials is limited to data plane operations and it doesn’t support control plane operations directly.

    The Cosmos DB Operator and DocumentDB Account Contributor roles should theoretically grant access to perform control plane operations, but these need to be executed through the Azure.ResourceManager.CosmosDB client in combination with DefaultAzureCredential. To create a database or container using Managed Identity, use the Azure.ResourceManager SDK.

    We request you to refer the below mentioned links for more information.

    https://learn.microsoft.com/en-us/dotnet/azure/sdk/resource-management?tabs=PowerShell

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane

    https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/troubleshoot-forbidden

    I hope, This response will address your query and helped you to overcome on your challenges.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.