Azure - Cosmos dB is blocking the request to upsert even though its have required RBAC roles

RameshBaddam
September 19, 2023
223 views
0 votes
2 Answers

I have an azure function to read and update the cosmos document . I enabled the identity and assigned the following roles to azure function identity(service principal). Somehow I’m seeing the following exception. Could you please let me know the build in RBAC roles i should have to assign.

DocumentDB Account Contributor
Cosmos DB Account Reader Role
Contributor

Exception Details:

Request is blocked because principal does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource .

Answers

- VenkatV
- September 8, 2023 at 8:29 am
- 0 votes
0
Somehow I’m seeing the following exception. Could you please let me know the build in RBAC roles i should have to assign
1. DocumentDB Account Contributor
2. Cosmos DB Account Reader Role
3. Contributor
To read and update the Cosmos DB Account using Azure Function identity (service principal), it may require the DocumentDB Account Contributor role. With this role, you can perform the following actions
```
 Ex:
    Read database account
    Update database account
```
When I attempt to update a Cosmos DB Account using a Service Principal with the Cosmos DB Account Reader Role, I encounter the following error.
Update-AzCosmosDBAccount -ResourceGroupName <RG-NAMe> -Name <Account-Name> -DefaultConsistencyLevel "Strong" -EnableAutomaticFailover 1 -EnableMultipleWriteLocations 1 -EnableVirtualNetwork 1
To resolve the issue, kindly assign the DocumentDB Account Contributor role to perform read and update operations in the Cosmos DB account.

I’m able to update the Cosmos DB Account after assigning the role.

If you still encounter the same error, make sure to assign the role to the correct service principal (Azure Function system identity)

Refer the Ms Doc for Azure Cosmos DB account
Login or Signup to reply.

- Thomas
- September 8, 2023 at 8:49 am
- 0 votes
0
You need to configure RBAC for the data plane not the management plane:
- Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
There are two built-on roles but you could also create custom roles:
- Cosmos DB Built-in Data Reader (Id: 00000000-0000-0000-0000-000000000001)
- Cosmos DB Built-in Data Contributor (Id: 00000000-0000-0000-0000-000000000002)
You can use Az Powershell, Az CLI, or the ARM API to create role asisgnment.

AzCLI sample:
```
$resourceGroupName="<myResourceGroup>"
$accountName="<myCosmosAccount>"
$dataContributorRoleId="00000000-0000-0000-0000-000000000002"
$principalId="<aadPrincipalId>" # Often called Object ID
az cosmosdb sql role assignment create `
  --account-name $accountName `
  --resource-group $resourceGroupName `
  --scope "/" `
  --principal-id $principalId `
  --role-definition-id $dataContributorRoleId
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Azure – Cosmos dB is blocking the request to upsert even though its have required RBAC roles

Answers