Role required to read/write data from cosmos DB (SQL API) from ADF?

Ashutosh Saini 36 Reputation points
2022-04-06T15:47:26.763+00:00

We are trying to read/write data from Azure data factory, since local authentication is disabled in cosmos we are trying to access cosmos DB using managed identity.
However even with Cosmos DB Account Contributor role assigned to managed identity of ADF still getting the below auth error:

CosmosDbSqlApi operation Failed. ErrorMessage: Request blocked by Auth cosmosDB-02 : Request is blocked because principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac. ActivityId: abcd-xycz, Microsoft.Azure.Documents.Common/2.14.0, Windows/10.0.17763 cosmos-netstandard-sdk/3.19.3.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,710 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,044 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,622 questions
0 comments No comments
{count} votes

Accepted answer
  1. PRADEEPCHEEKATLA 90,461 Reputation points
    2022-04-07T09:17:49.23+00:00

    Hello @Ashutosh Saini ,

    Thanks for the question and using MS Q&A platform.

    As per the error message it says that your principal [0000000] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource means don't have proper permissions to read Metadata.

    Grant the service principal proper permission. More specifically, create a role definition, and assign the role to the service principle via service principle object ID.

    To resolve this issue, you need the role "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" created and assigned to the service principal.

    Azure Cosmos DB exposes two built-in role definitions:

    190838-image.png

    For more details, refer to Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account.

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. thakshak gudimetla 35 Reputation points
    2024-06-19T22:42:53.2433333+00:00

    I was facing the same issue.. the below worked for me.
    I opened terminal and switched to the subscription where my cosmosDb is and executed:
    az cosmosdb sql role assignment create --account-name "<cosmosDbAccountName>" --resource-group "<resourceGroupName>" --scope "/" --principal-id "<principalIdOfResourceThatNeedsAccess>" --role-definition-name "Cosmos DB Built-in Data Contributor"

    this role "Cosmos DB Built-in Data Contributor" is not exposed on the portal.
    so, had to use az commands.

    7 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.