![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEM%3C/text%3E%3C/svg%3E)
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,786 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 51%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hi Eng. Mahdi Poodineh ,
Thanks for the question and using MS Q&A platform.
Based on your inquiry, we understand that the issue arises because the user or service (referred to as the principal) lacks the necessary Role-Based Access Control (RBAC) permissions to execute the action Microsoft.DocumentDB/databaseAccounts/readMetadata on the specified resource. Even though the principal has the "Owner" role, this role may not encompass the required permissions for accessing data in Cosmos DB. To fix this problem, you need to ensure that the principal has the correct RBAC role that grants the necessary permissions. Here’s how to do that:
Check Current Role Assignments:-Confirm that the principal has the appropriate roles assigned. The "Owner" role may not cover all the data access permissions needed for Cosmos DB.
Assign the Necessary RBAC Roles:-Assign either the "Cosmos DB Built-in Data Reader" or "Cosmos DB Built-in Data Contributor" role to the principal. These roles provide the permissions required to read metadata and access data in Cosmos DB.
Steps to Assign the Required Roles
Go to the Azure Portal: Open the Azure portal and navigate to your Cosmos DB account.
Access Control (IAM):Click on Access Control (IAM) from the left-hand menu.
Add Role Assignment: Click on + Add > Add role assignment.
1.Choose either the "Cosmos DB Built-in Data Reader" or "Cosmos DB Built-in Data Contributor" role.
2.Assign the selected role to the principal (user or service) that requires access.
Example Command to Assign Role Using Azure CLI
az role assignment create --assignee <principal-id> --role "Cosmos DB Built-in Data Reader" --scope <cosmos-db-account-id>
1.Configure Role-Based Access Control with Microsoft Entra ID for Azure Cosmos DB:
This document provides detailed information on configuring RBAC for Cosmos DB.
You can find it -https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac)..)
2. Troubleshoot Forbidden Exceptions in Azure Cosmos DB: This document provides troubleshooting steps for common forbidden exceptions in Cosmos DB.
You can find it-(https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/troubleshoot-forbidden)..
By following these steps and ensuring the appropriate RBAC roles are assigned, you should be able to resolve the "Request blocked by Auth" error and access the data in Cosmos DB. If you need further assistance, feel free to ask!