Management operations using TokenCredential failing #2394
Comments
|
Currently the .NET and Java SDK do not support control plane operation via Azure Active Directory. Those management operations can be done via the via ARM Templates, PowerShell, Azure CLI, REST, or Azure Management Library. |
|
Is the feature development on roadmap? Is yes do we have an ETA on when can we expect the support. |
|
The feature is currently not being prioritized, because the control plane operations can be done via Azure Management Library which has a c# nuget. |
|
Also met this issue when moving from using Cosmos DB string to Azure Managed Identity in our service. @j82w I can see that both
|
|
To understand why this needs to be prioritized, someone on the Cosmos DB team should do the following:
|
|
I ran into the same issue lately and I am surprised this is not prioritized. The Azure.Cosmos SDK provides implementation for managing database and container while the service is blocking the operation from SDK, which seems to be inconsistent. |
How do you even do this? I tried to get it work and after several hours came up with this: val subscriptionId = ResourceManager
.authenticate(credential, AzureProfile(AzureEnvironment.AZURE))
.withDefaultSubscription()
.subscriptionId()
Configuration.getGlobalConfiguration().put(PROPERTY_AZURE_SUBSCRIPTION_ID, subscriptionId)
CosmosManager
.authenticate(credential, AzureProfile(AzureEnvironment.AZURE))
.serviceClient()
.sqlResources
.createUpdateSqlContainer(
resourceGroup,
account,
database,
containerName,
SqlContainerCreateUpdateParameters()
.withOptions(CreateUpdateOptions().withThroughput(throughput))
.withResource(
SqlContainerResource()
.withId(containerName)
.withPartitionKey(ContainerPartitionKey().withPaths(listOf(partitionKeyPath)))
.withIndexingPolicy(
IndexingPolicy()
.withIncludedPaths(listOf(IncludedPath().withPath(includePath)))
.withExcludedPaths(listOf(ExcludedPath().withPath(excludePath)))
)
)
)Is this even a good solution? This is in Kotlin with Java SDK, so might not really fit in here, but as you can see, it's a lot of code just to cover a basic use case. It would be really nice, if the Cosmos DB SDK could do management operations with token credentials. |
|
Is there a plan to fix this? At least we want the collection resource to be supported. I thought rbac supports all operations in Azure is the future. |
|
I understand that there's a difference between data-plane and control-plane RBAC but having a core part of this SDK's functionality broken when using TokenCredential for authentication is a really poor developer experience. To add insult to injury, none of our documentation calls this out and our error messaging for this issue is fairly obtuse. Could we, at the very least, take a priority story to update our documentation to reflect this constraint when using TokenCredentials? Also, perhaps better yet, could we throw a custom/clear exception (or output an obvious debugger/console message if an exception is deemed too risky) to callout that resource creation (databases, containers, etc.) are not supported when using TokenCredentials? I would think that we could identify the type of credentials being used from the implementation logic of the impacted methods to facilitate such messaging. TokenCredential support was added to this SDK back in May. It's now 6 months later. I can understand not prioritizing the issue initially but it seems like we should do something about it now. Even if it's just adding appropriate messaging and updating our docs to reflect the constraint. Obviously it'd be better to actually fix the issue b/c expecting devs to integrate multiple nuget packages and roll their own logic to ensure containers are created is a pretty poor experience too (especially when that concept is already supported within this sdk). |
|
Are there any updates on the matter? |
Totally Accept. Its very bad developer experience. Had spent a lot of time only to find that control plane operations are not supported when used TokenCredential(but wierdly is supported with other auth mechanisms). Atleast the error thrown should be pointing it out. Any update on this or can someone point me to a Learn tutorial where we can do cosmos DB management operations using .net SDK using TokenCredential...it would be really helpful. I expect something like has a very good documentation and a quick start tutorial when Azure itself recomends to use ManagedIdentitles based auth. |
@j82w - thank you, this is helpful. However, it really should be highlighted in docs/examples/API documentation instead of left for developers to figure out/find this issue in github. Especially given that using ManagedIdentity is a best practice, and all these APIs (eg create container) are in the client library and work when you're using an emulator, but stop working when running in Azure. |
|
Agree, it's a super bad developer experience to have the Yes, this is called out in the documentation. |
Describe the bug
I gave an AAD identity DatabaseAccountContributor role from azure portal and /readMetadata and /container/* permissions as per RBAC control for dataplane operations (Referred this doc https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac). When trying to create a container using cosmos client initialized with this identity I see below error:
"The given request [POST /dbs/MetadataDatabase/colls] cannot be authorized by AAD token in data plane."
Am I doing something wrong or we do not have support to perform management operations using client created using AAD credentials?
To Reproduce
Covered above
Expected behavior
All operations should be successful.
Actual behavior
Create container call failed.
Environment summary
SDK Version: 3.18.0-preview
OS Version (e.g. Windows, Linux, MacOSX)
Additional context
Add any other context about the problem here (for example, complete stack traces or logs).
The text was updated successfully, but these errors were encountered: