Facing issue with creating new cosmos db context #486
Comments
|
Hi @vasanthkumar258, What version of the |
|
Hi @vasanthkumar258 - the function |
|
Hey @PlagueHO , I am running v2.19.0 of Az.Accounts in Azure cloud shell.. But in documentation its mentioned as Az.Account.. But when I tried to install this I got an error C:\WINDOWS\system32> Install-Module -Name Az.Account
|
|
Hi @vasanthkumar258 - hmm. Have you assigned a data plane RBAC role to the Cosmos DB account as per this doc: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac For example, we do this in the integration tests here: https://github.com/PlagueHO/CosmosDB/blob/main/tests/Integration/CosmosDB.integration.Tests.ps1#L887 I'm wondering if |
|
@PlagueHO , There is RBAC role assigned even then I am getting above issue
|
|
Hi @vasanthkumar258 - ah, I see the issue. These are Management RBAC assignments. You need to do Data plane RBAC assignments which unfortunately can't be done via the Azure Portal. This page doesn't make that very clear. For example: the Contributor assigned to an Azure Cosmos DB account does not give Data Plane access to the Cosmos DB. Instead, you need to use the $accountName = '<your Cosmos DB account>'
$resourceGroup = '<your RG containing Cosmos DB>'
$roleDefinitionId = '00000000-0000-0000-0000-000000000002' # This is built-in Cosmos DB Built-in Data Contributor role
$principalId = '<This object ID for the user/service principal/group>'
New-AzCosmosDBSqlRoleAssignment `
-AccountName $accountName `
-ResourceGroupName $resourceGroupName `
-RoleDefinitionId $roleDefinitionId `
-Scope "/" `
-PrincipalId $principalIdYou can also create custom RBAC data plane roles and assign them via:
Does this make sense? I did a demo of this (was using a C# client but works the same) a few days ago and here is my sample PowerShell I was using to configure the Account and containers: https://github.com/PlagueHO/whats-new-in-cosmos-db-2024/blob/main/configurecosmosdbrbac.ps1#L63 |
|
I've raised a separate issue to improve the docs to make this clearer. I might also see if I can work with Cosmos DB team to improve their docs (it's not super clear there either). Just some more info. These are the built-in Data plane RBAC roles: But you won't find them in Azure RBAC in the Portal -they're only seen in PowerShell/Az CLI via the: Get-AzCosmosDBSqlRoleDefinition `
-AccountName $accountName `
-ResourceGroupName $resourceGroupName |
|
@vasanthkumar258 - did you get a chance to see if this resolved your issue? |
Issue
Facing issue with creating new cosmos db context - followed documentaion at Get-Module -Name CosmosDB
command -
$entraIdOAuthToken = Get-CosmosDbEntraIdToken -Endpoint 'https://cosmos-cxpes-ppe-hipri.documents.azure.com'
error -
Get-CosmosDbEntraIdToken: The term 'Get-CosmosDbEntraIdToken' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Then i checked the implementation and are internally calling
command-
$token = (Get-AzAccessToken -ResourceUrl 'https://cosmos-cxpes-ppe-hipri.documents.azure.com').Token
and running above script is giving the below error
Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
Content:
{"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-hipri.documents.azure.com/ is not a supported MSI token audience. Supported audiences: https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.office365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}}
Headers:
X-Powered-By: REDACTED
ETag: W/"4d1-rUhcpPTlFmqXlRv/iJgNoMnWvCs"
Date: Wed, 22 May 2024 17:08:40 GMT
Connection: keep-alive
Keep-Alive: REDACTED
Content-Type: application/json; charset=utf-8
Content-Length: 1233
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
Before submitting your issue for the CosmosDB project, please take a moment to
provide the following details:
Get-Module -Name CosmosDB) - 4.7.0Thanks for contributing your feedback and support! You can optionally submit a
Pull Request against this project, if you have a fix you'd like to share.
The text was updated successfully, but these errors were encountered: