I've had a couple people reach out regarding this. The product team told me that the Cosmos DB OLTP Spark connector does not support AAD auth yet (even though the portal gives all the options). It's on their roadmap for the next 6 months, but I haven't had any luck getting more specifics than that.
Connecting Cosmos to Synapse using Managed identity
I'm moving my services to use MSI to connect to Cosmos DB. I've successfully done this using official documentation for function apps, data factory, and cognitive services. However, for Synapse I'm running into problems.
Steps I've followed:
- Grant CosmosDB Reader and DocumentDB account contributor permissions to the managed identity for Synapse.
- Create a linked service in Synapse connecting to Cosmos.
- Verified clicking 'Test connection' returns a success
- In Synapse Studio, click on the container -> New Notebook -> Load streaming dataframe
- Run using a spark pool that is 3.1 + dfStream = spark.readStream\
.format("cosmos.oltp.changeFeed")\
.option("spark.synapse.linkedService", "marketinginsightsdb")\
.option("spark.cosmos.container", "Taxonomy")\
.option("spark.cosmos.changeFeed.startFrom", "Beginning")\
.option("spark.cosmos.changeFeed.mode", "Incremental")\
.load()
However, running this results in a " java.lang.RuntimeException: Resolving Azure CosmosDB LinkedService [marketinginsightsdb] in Azure Synapse failed.Validate the configured LinkedService. If still seeing this, try using the Azure CosmosDB account name and credentials directly."
The error message itself is generic and not helpful:
Caused by: java.lang.Exception: Access token couldn't be obtained {"result":"DependencyError","errorId":"BadRequest","errorMessage":"LSRServiceException is [{\"StatusCode\":400,\"ErrorResponse\":{\"code\":\"BadRequest\",\"message\":\"Invalid Input\",\"target\":null}
It's worth noting that connections strings work fine, but this is not an option due to security requirements. I have also tried using AAD auth with a Service Principal and gotten the same response.
Here are the reference docs I have been using:
https://learn.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication
https://learn.microsoft.com/en-us/azure/synapse-analytics/quickstart-connect-synapse-link-cosmos-db