issue with "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"

Question

What are included in "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"?

In ADF when testing pipeline, we got an error message saying "xxx does not have authorization to perform action 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read' over scope". if in the json file I add "..../containers/read", it failed as screenshot, but I can add "...../containers/write". BUT shouldn't "..containers/" include them both? We have created a role with "..containers/" but still got this error message.

Answer 1

Hi @Xinglu Jiang,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

As I understand, you're facing an issue with role definitions and permissions in Azure Cosmos DB.

What are included in "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"?

For more information, please refer the document: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=custom-definition%2Ccsharp&pivots=azure-interface-cli#prepare-role-definition

The error message you're seeing indicates that the action string Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read is not recognized as a valid SQL data action. This suggests that there might be a mismatch or an incorrect specification in your role definition.

Verify that the action strings are correctly specified in your JSON file. For example, ensure there are no typos or incorrect paths.

For more information, please refer the document: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/reference-data-plane-actions#data-actions

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.