Cosmos API throwing unauthorized Error

[Ashwad1996]

Context:

I am trying to call the Cosmos DB GET API from an Azure PowerShell task within an Azure DevOps (ADO) build pipeline. To authenticate, I opted for a service connection using Workload Identity Federation (WIF).

Steps Taken:

1. Created a service connection in Azure DevOps.
2. Using the service connection's issuer and subject, I created a Federated Identity Credential in the Managed Identity (MSI) that has the required permissions on the Cosmos DB account.
3. Executed a PowerShell script to call the GET REST API for Cosmos DB.

Issue:

I encountered the following error during execution:

{
  "code": "Unauthorized",
  "message": "Request blocked by Auth <cosmos db account>: Provided AAD token was issued by the authority [<Issuer of service connection>] which is not trusted by this database account. Please ensure the token has been issued by the AAD tenant(s) <TenantId of the cosmos db>."
}

This error occurs despite the MSI being in the same tenant as the Cosmos DB account.

Request for Help:

Resolution: What steps can I take to resolve this issue?
Alternate Approach: If this method isn’t feasible, is there an alternate approach for securely calling the Cosmos DB GET API from an ADO pipeline using Azure PowerShell?

Any guidance would be greatly appreciated!

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @sajeetharan @simorenoh.

[jeremymeng]

@Ashwad1996 this repository is for JavaScript SDK (npm packages). You should find the proper place to report issue for Azure PowerShell. maybe start from here https://github.com/azure/azure-powershell/issues