Diagnose and troubleshoot Azure Cosmos DB forbidden exceptions

APPLIES TO: NoSQL

The HTTP status code 403 represents the request is forbidden to complete.

Firewall blocking requests

Data plane requests can come to Azure Cosmos DB via the following three paths.

  • Public internet (IPv4)
  • Service endpoint
  • Private endpoint

When a data plane request is blocked with 403 Forbidden, the error message specifies via which of the previous three paths the request came to Azure Cosmos DB.

  • Request originated from client IP {...} through public internet.
  • Request originated from client VNET through service endpoint.
  • Request originated from client VNET through private endpoint.

Solution

Understand via which path is the request expected to come to Azure Cosmos DB.

  • If the error message shows that the request didn't come to Azure Cosmos DB via the expected path, the issue is likely to be with client-side setup. Double check your client-side setup following documentations.
  • If the request came to Azure Cosmos DB via the expected path, request was blocked because the source network identity wasn't configured for the account. Check account's settings depending on the path the request came to Azure Cosmos DB.
    • Public internet: check account's public network access and IP range filter configurations.
    • Service endpoint: check account's public network access and virtual network filter configurations.
    • Private endpoint: check account's private endpoint configuration and client's private DNS configuration. This issue could be due to accessing account from a private endpoint that is set up for a different account.

If you recently updated account's firewall configurations, keep in mind that changes can take up to 15 minutes to apply.

Partition key exceeding storage

On this scenario, it's common to see errors like the ones here:

Response status code does not indicate success: Forbidden (403); Substatus: 1014
Partition key reached maximum size of {...} GB

Solution

This error means that your current partitioning design and workload is trying to store more than the allowed amount of data for a given partition key value. There's no limit to the number of logical partitions in your container but the size of data each logical partition can store is limited. You can reach to support for clarification.

Nondata operations aren't allowed

This scenario happens when attempting to perform nondata operations using Microsoft Entra identities. On this scenario, it's common to see errors like the ones here:

Operation 'POST' on resource 'calls' is not allowed through Azure Cosmos DB endpoint
Forbidden (403); Substatus: 5300; The given request [PUT ...] cannot be authorized by AAD token in data plane.

Solution

Perform the operation through Azure Resource Manager, Azure portal, Azure CLI, or Azure PowerShell. If you're using the Azure Functions Azure Cosmos DB Trigger, make sure the CreateLeaseContainerIfNotExists property of the trigger isn't set to true. Using Microsoft Entra identities blocks any nondata operation, such as creating the lease container.