CosmosDB blocking Managed Identity principal for readMetadata action

aditya kature 0 Reputation points
2024-07-09T13:59:42.9+00:00

Hi,

I am having CosmosDB and Managed Identity created in same resource group. I have added Reader, Contributor Roles from Managed Identity - Azure Roles Assignments from left panel of azure portal. But still I am getting following error:

Request blocked by Auth cosmosDBTest : Request is blocked because principal [Actual Managed Identity Object Id] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource.

Thanks!

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,537 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 17,866 Reputation points Microsoft Employee
    2024-07-09T19:31:21.8+00:00

    @aditya kature Thank you for reaching gout.

    There is restriction on RBAC using the CosmosClient Configure role-based access control with Microsoft Entra ID - Azure Cosmos Db | Microsoft Learn Create Database operations are not supported.

    The actual metadata requests allowed by the Microsoft.DocumentDB/databaseAccounts/readMetadata action depend on the scope that the action is assigned to:

    Expand table

    ScopeRequests allowed by the actionAccount• Listing the databases under the account• For each database under the account, the allowed actions at the database scopeAccount• Listing the databases under the account • For each database under the account, the allowed actions at the database scopeDatabase• Reading database metadata • Listing the containers under the database • For each container under the database, the allowed actions at the container scopeContainer• Reading container metadata • Listing physical partitions under the container • Resolving the address of each physical partitionYou could create custom role definitions

    When creating a custom role definition, you need to provide:

    • The name of your Azure Cosmos DB account.
    • The resource group containing your account.
    • The type of the role definition: CustomRole.
    • The name of the role definition.
    • A list of actions that you want the role to allow.
    • One or multiple scope(s) that the role definition can be assigned at; supported scopes are:
      • / (account-level),
        • /dbs/<database-name> (database-level),
          • /dbs/<database-name>/colls/<container-name> (container-level).

    Note

    The operations described are available in:

    Using Azure PowerShell

    Create a role named MyReadOnlyRole that only contains read actions:

    PowerShellCopy

    $resourceGroupName = "<myResourceGroup>" $accountName = "<myCosmosAccount>" New-AzCosmosDBSqlRoleDefinition -AccountName $accountName ` -ResourceGroupName $resourceGroupName ` -Type CustomRole -RoleName MyReadOnlyRole ` -DataAction @( ` 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed') ` -AssignableScope "/"

    Create a role named MyReadWriteRole that contains all actions:

    PowerShellCopy

    New-AzCosmosDBSqlRoleDefinition -AccountName $accountName ` -ResourceGroupName $resourceGroupName ` -Type CustomRole -RoleName MyReadWriteRole ` -DataAction @( ` 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*', ` 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*') ` -AssignableScope "/"
    0 comments