CosmosDB for Tables - authorization using managed Identity and custom role - no required dataAction

Question

I've attempted to establish a connection to Cosmos DB for Tables from an Azure function using a user-managed identity and custom role. Current privileges for custom role are:

    actions     = [
      "Microsoft.DocumentDB/databaseAccounts/read",
      "Microsoft.DocumentDB/databaseAccounts/tables/read",
      "Microsoft.DocumentDB/databaseAccounts/tables/operationResults/read",
      "Microsoft.DocumentDB/databaseAccounts/tables/write"
    ]
    not_actions = []
    data_actions = []
    not_data_actions = []

Error message is:

Request is blocked because principal [xxxxx] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/].

However, I've encountered difficulties, as I couldn't add required dataAction Microsoft.DocumentDB/databaseAccounts/readMetadata to custom role - simply it does not exists.

According to
https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/reference-data-plane-actions
there should be such dataAction, but when I try to add it manually in Azure Portal it does not exist.

Could You tell me where and how I can assign this data action to my custom role as it is described in the Security guidance for Azure Cosmos DB for Table ?

Answer 1

Hi Arkadiusz Kozieł,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

Issue:

CosmosDB for Tables - authorization using managed Identity and custom role - no required dataAction

Solution:

I found an answer

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/glossary

Important

Some Azure services, like Azure Cosmos DB, have their own native role-based access control implementation that uses different Azure Resource Manager properties, Azure CLI commands, and Azure PowerShell cmdLets. The commands you typically use to manage role-based access control will not work with Azure Cosmos DB data plane access. Some of the commands for Azure role-based access control may work with Azure Cosmos DB control plane access.

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/reference-data-plane-actions I was able to assign table level privileges using CLI and json file as described here:

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/how-to-grant-data-plane-role-based-access?context=%2Fazure%2Fcosmos-db%2Fcontext%2Fcontext&tabs=built-in-definition%2Cpython&pivots=azure-interface-cli

Simply it is something different than IAM visible in Azure Portal :(

And does not work yet with terraform - but there is at least resource:

azurerm_cosmosdb_sql_role_assignment

so maybe in next version there will be something like

azurerm_cosmosdb_table_role_assignment

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

Hope this helps. Do let us know if you have any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Hello

Thank You for You answer.

I also checked Azure RBAC documentation and there is also NO information about this dataAction. In fact there is NO any dataAction for DocumentDB.
https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/databases#microsoftdocumentdb

Also I do NOT see mentioned build in roles like:

Cosmos DB Built-in Data Reader

Cosmos DB Built-in Data Contributor

which are mentioned here:

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/reference-data-plane-roles

If this is mentioned as preview feature do I need to activate something?

But where should I activate roles for all subscriptions?

Answer 3

OK, I found an anser
https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/glossary

Important

Some Azure services, like Azure Cosmos DB, have their own native role-based access control implementation that uses different Azure Resource Manager properties, Azure CLI commands, and Azure PowerShell cmdLets. The commands you typically use to manage role-based access control will not work with Azure Cosmos DB data plane access. Some of the commands for Azure role-based access control may work with Azure Cosmos DB control plane access.

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/reference-data-plane-actions
I was able to assign table level privileges using CLI and json file as described here:

https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/how-to-grant-data-plane-role-based-access?context=%2Fazure%2Fcosmos-db%2Fcontext%2Fcontext&tabs=built-in-definition%2Cpython&pivots=azure-interface-cli

Simply it is something different than IAM visible in Azure Portal :(

And does not work yet with terraform - but there is at least resource:

azurerm_cosmosdb_sql_role_assignment

so maybe in next version there will be something like

azurerm_cosmosdb_table_role_assignment