I'm moving my services to use MSI to connect to Cosmos DB. I've successfully done this using official documentation for function apps, data factory, and cognitive services. However, for Synapse I'm running into problems.
Steps I've followed:
- Grant CosmosDB Reader and DocumentDB account contributor permissions to the managed identity for Synapse.
- Create a linked service in Synapse connecting to Cosmos.
- Verified clicking 'Test connection' returns a success
- In Synapse Studio, click on the container -> New Notebook -> Load streaming dataframe
- Run using a spark pool that is 3.1 + dfStream = spark.readStream\
.format("cosmos.oltp.changeFeed")\
.option("spark.synapse.linkedService", "marketinginsightsdb")\
.option("spark.cosmos.container", "Taxonomy")\
.option("spark.cosmos.changeFeed.startFrom", "Beginning")\
.option("spark.cosmos.changeFeed.mode", "Incremental")\
.load()
However, running this results in a " java.lang.RuntimeException: Resolving Azure CosmosDB LinkedService [marketinginsightsdb] in Azure Synapse failed.Validate the configured LinkedService. If still seeing this, try using the Azure CosmosDB account name and credentials directly."
The error message itself is generic and not helpful:
Caused by: java.lang.Exception: Access token couldn't be obtained {"result":"DependencyError","errorId":"BadRequest","errorMessage":"LSRServiceException is [{\"StatusCode\":400,\"ErrorResponse\":{\"code\":\"BadRequest\",\"message\":\"Invalid Input\",\"target\":null}
It's worth noting that connections strings work fine, but this is not an option due to security requirements. I have also tried using AAD auth with a Service Principal and gotten the same response.
Here are the reference docs I have been using:
https://learn.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication
https://learn.microsoft.com/en-us/azure/synapse-analytics/quickstart-connect-synapse-link-cosmos-db
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 80%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 96%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW6%3C/text%3E%3C/svg%3E)