How to Create a custom RBAC role to provide access to a specific container in cosmosdb

Question

Hi Microsoft Support Team,

I’m reaching out for assistance with creating a custom RBAC role that provides access to a specific container within a Cosmos DB account. I followed the instructions outlined in https://learn.microsoft.com/en-us/answers/questions/819618/using-custom-rbac-at-container-level-in-cosmos-db and implemented the JSON configuration as shown below. However, I’m encountering an error: "please provide 'assignableScopes'" when I attempt to deploy it.

Here is the JSON file I am using:

{
    "name": "DB1ContainerAccessOnlyRole",
    "properties": {
        "roleName": "DB1Container-Access-Only",
        "description": "Custom role with access restricted to DB1Container within the Cosmos DB account",
        "assignableScopes": [
            "/subscriptions/5219d320-ba82-44c5-8fdc-f7cb1a71dfe1/resourceGroups/gia-poc/providers/Microsoft.DocumentDB/databaseAccounts/gia-cosmos-db1-27073/dbs/DemoDB1/colls/DB1Container"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace"
                ],
                "notDataActions": []
            }
        ]
    }
}

Could you please clarify if there’s an error in my assignableScopes path or if any additional steps are required to enable this role at the container level? Additionally, if there’s any further guidance on specifying assignableScopes for container-level access, it would be greatly appreciated.

Thank you for your assistance!

Best regards,

Nishant

Answer 1

Hi @Nishant Gupta,

Thanks for the question and using MS Q&A platform.

The error you’re encountering typically indicates that the role definition is missing or incorrectly specifying the assignableScopes. Below are a few common causes and solutions:

Missing or Incorrect Role Definition API Version

When creating custom roles via Azure, the API version you are using must support role definitions at the Cosmos DB container level. The apiVersion must be set to a version that supports creating and assigning roles at the resource and container levels.

"apiVersion": "2020-04-01-preview"

This API version supports role definitions for Cosmos DB resources at various levels, including the container.

Check Permissions for Container-Level Access: Make sure that the permissions you’re specifying in the custom role are valid for the level of granularity you're targeting. In your case, you’re trying to define a role with both read and write permissions at the container level. Ensure these permissions are supported by the API and correctly applied at the container scope.

Use the correct role definition type (Microsoft.Authorization/roleDefinitions)

Once you ensure all of this, the error should resolve, and the custom role will be created and assigned properly at the container level.

Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.