Share via

user identity custom roles not being created in cosmos db

EnenDaveyBoy 71 Reputation points
2021-11-24T14:15:25.897+00:00

Hi

I am trying to use managed identities in cosmosdb, I am using azure dev ops pipeline using arm templates, which runs through successfully however it doesn't show up in the portal and the code

new DefaultAzureCredential(new DefaultAzureCredentialOptions{ManagedIdentityClientId = ManagedIdentityClientId});

also doesn't run when its live (and i can't get it to work locally both due to a readMetadatapermission not being assigned (which doesn't seem supportedin the built in roles either)

{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
"apiVersion": "2021-05-15",
"name": "[concat(variables('developmentSettingsDbName'),'/', variables('cosmosDbContributorRoleDefinitionId'))]",
"dependsOn": [
"[resourceId('Microsoft.DocumentDb/databaseAccounts', variables('developmentSettingsDbName'))]"
],
"properties": {
"roleName": "[variables('cosmosDbContributorRoleDefinitionName')]",
"type": "CustomRole",
"assignableScopes": [
"[resourceId('Microsoft.DocumentDb/databaseAccounts', variables('developmentSettingsDbName'))]"
],
"permissions": [
{
"dataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/"
],
"notDataActions": []
}
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "myContributor",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2021-05-15",
"name": "[concat(variables('developmentSettingsDbName'),'/', variables('cosmosDbContributorRoleAssignmentId'))]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'universeContributor')]",
"[resourceId('Microsoft.DocumentDb/databaseAccounts', variables('developmentSettingsDbName'))]",
"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', variables('developmentSettingsDbName'), variables('cosmosDbContributorRoleDefinitionId'))]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', variables('developmentSettingsDbName'), variables('cosmosDbContributorRoleDefinitionId'))]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', 'myContributor'), '2018-11-30').principalId]",
"scope": "[resourceId('Microsoft.DocumentDb/databaseAccounts', variables('developmentSettingsDbName'))]"
}
}

any thoughts would be appriciated

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,915 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. EnenDaveyBoy 71 Reputation points
    2021-12-10T00:38:29.887+00:00

    hi no due to managed identities not being available in all services i am using eg, cosmos db gremlin.net, and some of the roles aren't available on the portal at present,i have opted to use AAD until its a little more intergrated into the services I am using.

    Would really like them so i can set all azure functions permissions in my pipelines would mean I get set set 90% of my infrastructure in a pipeline, there are other things which I can't due to service limitations like Event grid Topics not allowing subscriptions to dev slots.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.