Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC failure when reading/writing data with TokenCredential #2891

Closed
trevorlacey-msft opened this issue Nov 18, 2021 · 2 comments
Closed

RBAC failure when reading/writing data with TokenCredential #2891

trevorlacey-msft opened this issue Nov 18, 2021 · 2 comments
Labels
Azure Active Directory Non-SDK Question

Comments

@trevorlacey-msft
Copy link

trevorlacey-msft commented Nov 18, 2021
edited
Loading

Support for TokenCredential authentication was recently added in this PR based on this feature request. Lack of support for control plane/management operations is known and tracked with this issue. However, I am unable to perform even basic data plane operations on existing databases/containers

We are continuously addressing and improving the SDK, if possible, make sure the problem persist in the latest SDK version.

Describe the bug
A CosmosClient constructed with a TokenCredential fails on operations like Container.CreateItemAsync().

Response status code does not indicate success: Forbidden (403); Substatus: 5301; ActivityId: ded69b58-a49c-4dc3-98ac-97dc8aac6484; Reason: (Request blocked by Auth <my_cosmos_account_name> : Request is blocked because principal [<my_principal_id>] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac.This could be because the user's group memberships were not present in the AAD token.
ActivityId: ded69b58-a49c-4dc3-98ac-97dc8aac6484, Microsoft.Azure.Documents.Common/2.14.0, Windows/10.0.19043 cosmos-netstandard-sdk/3.23.1);

To Reproduce

  1. Manually create an Azure Cosmos DB account, database, and container in Azure portal via Data Explorer
  2. Grant self 'Cosmos DB Account Reader Role' and 'Owner' role in Access control blade
  3. Create a CosmosClient with DefaultAzureCredential
  4. Get Database, Container, then call Container.CreateItemAsync() method.
CosmosClient client = new CosmosClient("https://<my_cosmos_account_name>.documents.azure.com:443/", new DefaultAzureCredential());
Database database = client.GetDatabase("testdb"); // db already exists
Container container = database.GetContainer("testcontainer"); // container already exists
string containerName = container.Id; // This works!
await container.CreateItemAsync(new TestData { Value = "yo!" }); // This throws!

Expected behavior
No exception. Data should be written to container

Actual behavior
Exception. Forbidden (403)

Environment summary
SDK Version: Microsoft.Azure.Cosmos 3.23.0, Azure.Identity 1.5.0
OS Version: Windows 10 (19043.1348)
@ThomasWeiss
Copy link
Contributor

@trevorlacey-msft Your second repro step is assigning Azure RBAC built-in roles to your identity. However, the Cosmos DB data plane RBAC is currently a different and independent RBAC system that has its own built-in roles. You want to assign a "Cosmos DB Built-in Data Contributor" role by following the steps described here.

@ealsur
Copy link
Member

ealsur commented Nov 18, 2021

Same question as #2705

@ealsur ealsur closed this as completed Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Azure Active Directory Non-SDK Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ealsur @ThomasWeiss @trevorlacey-msft