RBAC for cosmos DB Table API

Question

RBAC for cosmos DB Table API

Sam Chen 25 Microsoft Employee

Hi Team,

I am using Azure Cosmos DB table APIs and I enabled my account in access control and assigned following roles to the resource. However I still get the following error when trying to access the account. Any thoughts?

Test method Microsoft.Skype.Platform.Echo.Tests.CallQueue.CosmosDbTableApiTests.NaiveTest threw exception: `

Azure.RequestFailedException: Request blocked by Auth samtest : Request is blocked because principal [PII removed] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac.

ActivityId: PII removed,

Microsoft.Azure.Documents.Common/2.14.0, documentdb-dotnet-sdk/2.14.0 Host/64-bit MicrosoftWindowsNT/10.0.20348.0

RequestID: PII removed

Status: 403 (Forbidden)

ErrorCode: Forbidden

Roles:

User's image

Sam Chen 25 Reputation points Microsoft Employee

2025-11-06T18:03:19.3366667+00:00
@Sridevi Machavarapu , Thx for your reply but I tried the following and "00000000000000000000000000000002" seems not exist. PS C:\Users\zhench> New-AzRoleAssignment -ObjectId PII removed -RoleDefinitionId "00000000-0000-0000-0000-000000000002" -Scope /subscriptions/PII removed/resourceGroups/samTest/providers/Microsoft.DocumentDB/databaseAccounts/samtest

New-AzRoleAssignment : The specified role definition with ID '00000000000000000000000000000002' does not exist.

At line:1 char:1

New-AzRoleAssignment -ObjectId PII removed - ...

New-AzRoleAssignment : The specified role definition with ID '00000000000000000000000000000002' does not exist. At line:1 char:1

New-AzRoleAssignment -ObjectId PII removed - ...

+ CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand + CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

Sridevi Machavarapu 7,610 Microsoft External Staff Moderator

Hello Sam Chen,

You need to use different commands to assign Cosmos DB Built-in Data Contributor role via Azure PowerShell. Refer this MS Document: Connect using role-based access control - PowerShell

$parameters = @{
    ResourceGroupName = "<name-of-existing-resource-group>"
    Name = "<name-of-existing-table-account>"
}
$resourceId = (
    Get-AzCosmosDBAccount @parameters |
        Select-Object -Property Id -First 1
).Id
$payload = @{
  properties = @{
    roleDefinitionId = "$resourceId/tableRoleDefinitions/00000000-0000-0000-0000-000000000002"
    scope = "$resourceId"
    principalId = "<user-object-id>"
  }
}
$parameters = @{
  Path = "$resourceId/tableRoleAssignments/e4e4e4e4-ffff-aaaa-bbbb-c5c5c5c5c5c5?api-version=2023-04-15"
  Method = "PUT"
  Payload = $payload | ConvertTo-Json -Depth 2
}
Invoke-AzRestMethod @parameters

Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator

2025-11-07T17:34:45.1833333+00:00

Hello Sam Chen,

Could you confirm whether your issue is resolved or still facing any errors? Feel free to reach out for any further queries
Sam Chen 25 Reputation points Microsoft Employee

2025-11-07T19:37:55.8433333+00:00

Hi,
I just confirmed that our issue is mitigated. Thx all for the help to understand how data panel and control panel works and provided great instructions.
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator

2025-11-07T20:23:01.9966667+00:00

Hello Sam Chen,

Glad to know it worked : )

Please click on Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

Answer accepted by question author

0 additional answers

Your answer

Sam Chen 25 Reputation points Microsoft Employee

2025-11-06T18:03:19.3366667+00:00

@Sridevi Machavarapu , Thx for your reply but I tried the following and "00000000000000000000000000000002" seems not exist. PS C:\Users\zhench> New-AzRoleAssignment -ObjectId PII removed -RoleDefinitionId "00000000-0000-0000-0000-000000000002" -Scope /subscriptions/PII removed/resourceGroups/samTest/providers/Microsoft.DocumentDB/databaseAccounts/samtest

New-AzRoleAssignment : The specified role definition with ID '00000000000000000000000000000002' does not exist.

At line:1 char:1

New-AzRoleAssignment -ObjectId PII removed - ...

New-AzRoleAssignment : The specified role definition with ID '00000000000000000000000000000002' does not exist. At line:1 char:1

New-AzRoleAssignment -ObjectId PII removed - ...

+ CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand + CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator

2025-11-06T18:14:16.9033333+00:00

Hello Sam Chen,

You need to use different commands to assign Cosmos DB Built-in Data Contributor role via Azure PowerShell. Refer this MS Document: Connect using role-based access control - PowerShell

$parameters = @{ ResourceGroupName = "<name-of-existing-resource-group>" Name = "<name-of-existing-table-account>" } $resourceId = ( Get-AzCosmosDBAccount @parameters | Select-Object -Property Id -First 1 ).Id $payload = @{ properties = @{ roleDefinitionId = "$resourceId/tableRoleDefinitions/00000000-0000-0000-0000-000000000002" scope = "$resourceId" principalId = "<user-object-id>" } } $parameters = @{ Path = "$resourceId/tableRoleAssignments/e4e4e4e4-ffff-aaaa-bbbb-c5c5c5c5c5c5?api-version=2023-04-15" Method = "PUT" Payload = $payload | ConvertTo-Json -Depth 2 } Invoke-AzRestMethod @parameters
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator

2025-11-07T17:34:45.1833333+00:00

Hello Sam Chen,

Could you confirm whether your issue is resolved or still facing any errors? Feel free to reach out for any further queries
Sam Chen 25 Reputation points Microsoft Employee

2025-11-07T19:37:55.8433333+00:00

Hi,
I just confirmed that our issue is mitigated. Thx all for the help to understand how data panel and control panel works and provided great instructions.
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator

2025-11-07T20:23:01.9966667+00:00

Hello Sam Chen,

Glad to know it worked : )

Please click on Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

Answer 1

Hello Sam Chen,

The error occurs because the roles assigned (Owner, Contributor, Cosmos DB Operator, DocumentDB Account Contributor) are control-plane roles, which don't grant the data-plane permissions required by Cosmos DB Table API.

Specifically, the action Microsoft.DocumentDB/databaseAccounts/readMetadata needs a built-in data role.

To fix this, assign one of the Cosmos DB built-in data roles at the account scope (/) to the user or managed identity:

Cosmos DB Built-in Data Reader (Role ID: 00000000-0000-0000-0000-000000000001)
Cosmos DB Built-in Data Contributor (Role ID: 00000000-0000-0000-0000-000000000002)

For example, using Azure CLI:

az cosmosdb sql role assignment create \
  --resource-group <resource-group> \
  --account-name <cosmos-account> \
  --scope "/" \
  --principal-id <user-object-id> \
  --role-definition-id "00000000-0000-0000-0000-000000000002"

Make sure to replace placeholders with your actual values.

This approach grants the necessary data-plane permissions and resolves the 403 Forbidden RBAC error.

For more details, refer these MS Documentation:

Hope this helps! Let us know if any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

Share via

RBAC for cosmos DB Table API

0 additional answers

Your answer