Share via

Using ManagedIdentity with node.js web app to access Cosmos DB

Jay Bloodworth 26 Reputation points
2022-03-05T17:34:35.98+00:00

I am trying to create a node.js web application using App Services that pulls data from a Cosmos DB database. To provide authorization, I created a Managed Identity for the web app and assigned it the Cosmos DB Account Reader Role under IAM for the Cosmos DB. The code for my app is below 

const express = require('express');
const { ManagedIdentityCredential, DefaultAzureCredential } = require('@azure/identity');
const { CosmosClient } = require("@azure/cosmos");


const endpoint = "https://redacted:443/";
const aadCredentials = new ManagedIdentityCredential();
//const aadCredentials = new DefaultAzureCredential();


const client = new CosmosClient({endpoint, aadCredentials});
const container = client.database('quotedb').container('quotes');

const port = process.env.PORT || 3000;

const app = express()

app.get('/api/quote/:who', async (req, res) => {
    const { resources: quotes } = await container.items
        .query(`SELECT * FROM c WHERE c.character = '${req.params.who}'`).fetchAll();
    const quote = quotes[Math.floor(Math.random() * quotes.length)];
    res.json({who: req.params.who, quote});
});

app.use('/', express.static('static'));

app.listen(port, async () => {
    console.log(`Listening on ${port}`);
});

All of the relevant modules have been installed. However, when I attempt to access the REST endpoint it doesn't work. The error in the logs says Access denied because principal xxx does not have RBAC permissions to perform action Microsoft.DocumentDB/databaseAccounts/readMetadata on /. The xxx does match the id I see for my ManagedIdentity in the Identity blade for the web app. Looking at the role definition for the Account Reader role I see that that permission is indeed missing. I suppose I can create a custom role that adds that specific permission, but the fact that the Reader role by itself is not working makes me suspect that I have done something else wrong.

The web app is using the free tier and the Cosmos DB instance is running under the Serverless configuration. This is just a "toy" app for my learning, but I would appreciate help in understanding what is going wrong. Thank you.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,672 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,913 questions
0 comments
Accepted answer
  1. Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
    2022-03-07T22:15:30.657+00:00

    Hi @Jay Bloodworth
    Thank you for posting your question on Microsoft Q&A and for using Azur services.
    From my understanding, you are not able to access the REST endpoint even after assign the permissions on the web app and cosmos db.
    Try to create your custom CosmosDBReadWrite role by following the example in this article.

    To create the custom role definitions and assignments, you will need to have the Azure CLI installed.

    As the document below mentioned, we can access Cosmos DB with Managed Identity.

    How to use a system-assigned managed identity to access Azure Cosmos DB data | Microsoft Learn

    184139-image.png

    184217-image.png

    Regards,
    Oury

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.