Closed RetYn closed 2 years ago
ealsur
commented
2 years ago Are you targeting a real account or the emulator? DefaultAzureCredential is not a construct / class from the Cosmos SDK, but from the Azure SDKs: https://github.com/Azure/azure-sdk-for-net/
ealsur
commented
2 years ago Is the App Id 72f988bf-86f1-41af-91ab-2d7cd011db47 or the Tenant 975f013f-7f24-47e8-a7d3-abc4752bf346 incorrect? Are you creating the roles/permissions as part of your flow?
ealsur
commented
2 years ago Closing due to inactivity, please reopen and share the required information
DonFrazier
commented
8 months ago we encountered this exact error when we moved an Azure App Service and a CosmosDB instance from one subscription to the other. The Azure App Service has a user-managed Identity to access resources. we are updating the Identity to match the new subscription environment. I expect we will have to grant the new Identity access to the CosmosDB and other resources while removing the now-obsolete identity from the original resource location.
Leaving this comment since this page is the 1st search hit for the 401 / 5007 combination.
Describe the bug I use DefaultAzureCredential to init CosmosClient new CosmosClient(endpoint, new DefaultAzureCredential(), options) in a c# console app, and run the app in ado pipeline with a service connection. Sometimes it will get 401 error with the following error message: Provided AAD token was issued by the authority [72f988bf-86f1-41af-91ab-2d7cd011db47] which is not trusted by this database account. The pipeline can be retried successfully after serval times.
To Reproduce In description
Expected behavior CosmosClient should have the authority to perform the action.
Actual behavior cosmos client throw error Unhandled exception. System.AggregateException: One or more errors occurred. (Response status code does not indicate success: Unauthorized (401); Substatus: 5007; ActivityId: fdb3e90c-fc99-49c3-bb00-c9c7f2039955; Reason: (Request blocked by Auth metadatastore-ppe : Provided AAD token was issued by the authority [72f988bf-86f1-41af-91ab-2d7cd011db47] which is not trusted by this database account. Please ensure the token has been issued by the AAD tenant(s) [975f013f-7f24-47e8-a7d3-abc4752bf346]. ActivityId: fdb3e90c-fc99-49c3-bb00-c9c7f2039955, Microsoft.Azure.Documents.Common/2.14.0, Windows/10.0.20348 cosmos-netstandard-sdk/3.28.2);)
Environment summary SDK Version: 3.28.0 OS Version (e.g. Windows, Linux, MacOSX)
Additional context Add any other context about the problem here (for example, complete stack traces or logs).