Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cosmos API throwing unauthorized Error #32391

Closed
Ashwad1996 opened this issue Dec 31, 2024 · 2 comments
Closed

Cosmos API throwing unauthorized Error #32391

Ashwad1996 opened this issue Dec 31, 2024 · 2 comments
Labels
Client This issue points to a problem in the data-plane of the library. Cosmos customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@Ashwad1996
Copy link

Context:

I am trying to call the Cosmos DB GET API from an Azure PowerShell task within an Azure DevOps (ADO) build pipeline. To authenticate, I opted for a service connection using Workload Identity Federation (WIF).

Steps Taken:

  1. Created a service connection in Azure DevOps.
  2. Using the service connection's issuer and subject, I created a Federated Identity Credential in the Managed Identity (MSI) that has the required permissions on the Cosmos DB account.
  3. Executed a PowerShell script to call the GET REST API for Cosmos DB.

Issue:

I encountered the following error during execution:

{
  "code": "Unauthorized",
  "message": "Request blocked by Auth <cosmos db account>: Provided AAD token was issued by the authority [<Issuer of service connection>] which is not trusted by this database account. Please ensure the token has been issued by the AAD tenant(s) <TenantId of the cosmos db>."
}

This error occurs despite the MSI being in the same tenant as the Cosmos DB account.

Request for Help:

Resolution: What steps can I take to resolve this issue?
Alternate Approach: If this method isn’t feasible, is there an alternate approach for securely calling the Cosmos DB GET API from an ADO pipeline using Azure PowerShell?

Any guidance would be greatly appreciated!
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. Cosmos customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. labels Dec 31, 2024
@github-actions GitHub Actions
Copy link

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @sajeetharan @simorenoh.

@jeremymeng
Copy link
Member

@Ashwad1996 this repository is for JavaScript SDK (npm packages). You should find the proper place to report issue for Azure PowerShell. maybe start from here https://github.com/azure/azure-powershell/issues

@jeremymeng jeremymeng closed this as not planned Won't fix, can't repro, duplicate, stale Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Client This issue points to a problem in the data-plane of the library. Cosmos customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremymeng @Ashwad1996