Cosmos DB RBAC access

 

Introduction: The focus of this article is the provisioning of access control on Cosmos DB data access.

Description: One of the frequently encountered errors after a successful provisioning of Cosmos DB instance is the following error message: 
Response status code does not indicate success: Forbidden (403); Substatus: 5302; ActivityId: 9f80d692-0d31-4aab-918b-e84586cb11fb; Reason: (Message: { "Errors":["Request is blocked because principal [0cd8f3af-37e3-49cb-9bea-b84a6dc67f50] does not have the required RBAC permissions to perform action [Microsoft.DocumentDB\/databaseAccounts\/sqlDatabases\/containers\/items\/create] with OperationType [0] and ResourceType [2] on resource [dbs\/API\/colls\/ApiActionStateStore]. Learn more: https:\/\/aka.ms\/cosmos-native-rbac This could be because the user's group memberships were not present in the AAD token."]}
ActivityId: 9f80d692-0d31-4aab-918b-e84586cb11fb, Request URI: /apps/bebfc2ab-b138-45af-8a32-3fe539d00d75/services/3869c06c-7fef-4642-8185-1eb90808b36f/partitions/1244f14f-3de3-40d6-888c-9683e5e13def/replicas/132741653163445857p/, RequestStats: Microsoft.Azure.Cosmos.Tracing.TraceData.ClientSideRequestStatisticsTraceDatum, SDK: Windows/10.0.22000 cosmos-netstandard-sdk/3.22.2)

The reason it is frequently encountered is that the users often mistake the role-based access control to apply only to control plane where the objects used to store data such as Account, Database and containers are secured by roles such as contributor or read only. In addition to securing control plane data access, the same must be done for data plane access. Specific examples of data plane actions include “Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read” and “Microsoft.DocumentDB/databaseAccounts/readMetadata”. The Azure Cosmos DB exposes built-in role definitions which are CosmosDB Built-in data reader that gives permission to perform data actions that includes:

Microsoft.DocumentDB/databaseAccounts/readMetadata

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed

And the Azure Cosmos DB built-in data contributor that grants permissions to take the following data actions:

Microsoft.DocumentDB/databaseAccounts/readMetadata

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*

Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*

Custom role definitions can also be created but these are the minimum required.

The role definitions can be fetched with the command: Get-AzCosmosDBSqlRoleDefinition -AccountName $accountName  -ResourceGroupName $resourceGroupName

Once the role is defined via one of the interactivity methods such as SDK, PowerShell, CLI or REST based methods, it must then be assigned to users and groups.  When this assignment is incomplete, then the error message as shown is sent to the caller. Assignment requires proper privilege. The remedy to resolve the error message is shown with the following command:

PS C:\users\ravirajamani\source\repos> New-AzCosmosDBSqlRoleAssignment -ResourceGroupName sampleproject-dev-global -AccountName sampleprojectdev -RoleDefinitionName ReadWrite -PrincipalId 0cd8f3af-37e3-49cb-9bea-b84a6dc67f50 -Scope /subscriptions/ad7cfdd8-8685-44b5-8390-284363464cc4/resourceGroups/sampleproject-dev-global/providers/Microsoft.DocumentDB/databaseAccounts/sampleprojectdev

Id : /subscriptions/ad7cfdd8-8685-44b5-8390-284363464cc4/resourceGroups/sampleproject-dev-global/providers/Microsoft.DocumentDB/databaseAccounts/sampleprojectdev/sqlRoleAssignments/899ad926-b869-42a0-bb28-16f

deba32992

Scope : /subscriptions/ad7cfdd8-8685-44b5-8390-284363464cc4/resourceGroups/sampleproject-dev-global/providers/Microsoft.DocumentDB/databaseAccounts/sampleprojectdev

RoleDefinitionId : /subscriptions/ad7cfdd8-8685-44b5-8390-284363464cc4/resourceGroups/sampleproject-dev-global/providers/Microsoft.DocumentDB/databaseAccounts/sampleprojectdev/sqlRoleDefinitions/00000000-0000-0000-0000-000

000000001

PrincipalId : 0cd8f3af-37e3-49cb-9bea-b84a6dc67f50

The account and principal id from actual usage of the command are substituted with fake identifiers.

There can be up to 100 role definitions and up to 2000 role assignments per account.  Role definitions can be assigned to the Azure AD identities belonging to the same Azure AD tenant as the Azure Cosmos DB account. Azure AD group resolution is not currently supported for identities belonging to more than 200 groups. The Azure AD token is currently passed as a header with each individual request sent to the Azure Cosmos DB service.