How to create Custom role in CosmosDB API for MongoDB with scope at Database level

Question

How to create Custom role in CosmosDB API for MongoDB with scope at Database level

Vaikakkara, Anoop 46

I have a requirement to create Custom roles with assignment scope at database level rather than at Account level in CosmosDB API for MongoDB. I could find documents related to same for SQL API - (https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac) . Is this simply not supported for MongoDB API? Would really appreciate if anyone can suggest on this or share document.

Accepted answer

0 additional answers

Your answer

Answer 1

Anurag Sharma 17,631

Hi @Vaikakkara, Anoop , welcome to Microsoft Q&A forum.

From what we understand you want to create custom role in Azure Cosmos DB Mongo API with scope at database level.

You can refer to below document that provides details on creating the custom role type for mongo DB API.

az cosmosdb mongodb role definition

az cosmosdb mongodb role definition create --account-name MyAccount --resource-group MyResourceGroup --body '{  
  "Id": "MyDB.My_Read_Only_Role",  
  "RoleName": "My_Read_Only_Role",  
  "Type": "CustomRole",  
  "DatabaseName": "MyDB",  
  "Privileges": [{  
    "Resource": {  
        "Db": "MyDB",  
        "Collection": "MyCol"  
      },  
      "Actions": [  
        "insert",  
        "find"  
      ]  
  }],  
  "Roles": [  
    {  
      "Role": "myInheritedRole",  
      "Db": "MyTestDb"  
    }  
  ]  
}'

Please let us know if this helps or else we can discuss further.

Vaikakkara, Anoop 46 Reputation points

2022-03-04T13:38:39.597+00:00

Thanks Anurag for sharing details. I am getting below error when trying to execute:

C:\mongo>az cosmosdb mongodb role definition create --account-name xxxxxxx --resource-group xxxxxx --body @role.json
(BadRequest) Mongo Role Defination is not enabled for the account.
ActivityId: 8c37fc3f-9bbc-11ec-a742-0c9a3c43316c, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: Mongo Role Defination is not enabled for the account.
ActivityId: 8c37fc3f-9bbc-11ec-a742-0c9a3c43316c, Microsoft.Azure.Documents.Common/2.14.0

Here is my JSON file:

{
"Id": "Database1.MyDB1_Role",
"RoleName": "MyDB1_Role",
"Type": "CustomRole",
"DatabaseName": "Database1",
"Privileges": [{
"Resource": {
"Db": "Database1",
"Collection": ""
},
"Actions": [
"insert",
"find"
]
}],
"Roles": []

}
Vaikakkara, Anoop 46 Reputation points

2022-03-09T11:26:53.703+00:00

Still stuck on this. I am having OWNER role in the Cosmos DB API for MongoDB account. Also having latest CLI installed.
az version
{
"azure-cli": "2.34.1",
"azure-cli-core": "2.34.1",
"azure-cli-telemetry": "1.0.6",
"extensions": {
"cosmosdb-preview": "0.14.0"
}
}
Error points like "mongodb role definition" not supported.
Anurag Sharma 17,631 Reputation points

2022-03-09T11:41:08.423+00:00

Hi @Vaikakkara, Anoop , apologies for the trouble you are facing. I tried and got the same error. I am reaching out to product group on this and will update you at the earliest I hear back from them.
Vaikakkara, Anoop 46 Reputation points

2022-03-09T11:48:31.66+00:00

Thanks a lot for your quick turnup @AnuragSharma-MSFT .
Mohamed Jbeli 0 Reputation points

2023-05-23T12:29:21.6833333+00:00

I'm reading this a bit late , but for those in the future who end up somehow here like me :D

the error : Error points like "mongodb role definition" not supported .

is likely to happen because when you create a db account you should enable the RBAC capability on your existing API for MongoDB database account. You'll need to add the capability "EnableMongoRoleBasedAccessControl" to your database account :

az cosmosdb create -n <account_name> -g <azure_resource_group> --kind MongoDB --capabilities EnableMongoRoleBasedAccessControl

or if you have already created an account just update it :

az cosmosdb update --resource-group <azure_resource_group> --name <account_name> --capabilities EnableMongoRoleBasedAccessControl

Share via

How to create Custom role in CosmosDB API for MongoDB with scope at Database level

Here is my JSON file:

}

0 additional answers

Your answer