Role required to read/write data from cosmos DB (SQL API) from ADF?

Ashutosh Saini 36 Reputation points
2022-04-06T15:47:26.763+00:00

We are trying to read/write data from Azure data factory, since local authentication is disabled in cosmos we are trying to access cosmos DB using managed identity.
However even with Cosmos DB Account Contributor role assigned to managed identity of ADF still getting the below auth error:

CosmosDbSqlApi operation Failed. ErrorMessage: Request blocked by Auth cosmosDB-02 : Request is blocked because principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac. ActivityId: abcd-xycz, Microsoft.Azure.Documents.Common/2.14.0, Windows/10.0.17763 cosmos-netstandard-sdk/3.19.3.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,455 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,643 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,665 questions
0 comments
Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 78,576 Reputation points Microsoft Employee
    2022-04-07T09:17:49.23+00:00

    Hello @Ashutosh Saini ,

    Thanks for the question and using MS Q&A platform.

    As per the error message it says that your principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource means don't have proper permissions to read Metadata.

    Grant the service principal proper permission. More specifically, create a role definition, and assign the role to the service principle via service principle object ID.

    To resolve this issue, you need the role "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" created and assigned to the service principal.

    Azure Cosmos DB exposes two built-in role definitions:

    190838-image.png

    For more details, refer to Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account.

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest