search

Azure / azure-cosmos-dotnet-v3

.NET SDK for Azure Cosmos DB for the core SQL API
MIT License
723 stars 477 forks source link

Operation 'POST' on resource 'dbs' is not allowed through Azure Cosmos DB endpoint. Please switch on such operations for your account, or perform this operation through Azure Resource Manager, Azure Portal, Azure CLI or Azure Powershell #4552

Closed pjohnst5 closed 1 week ago

pjohnst5 commented 1 week ago

We are continuously addressing and improving the SDK, if possible, make sure the problem persist in the latest SDK version.

Describe the bug Hello, I am using managed identity to connect to a cosmos db from a .net application (I also work for Microsoft, Azure) I see on the following error when trying to CreateDatabaseIfNotExistsAsync():

Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: ff8c1b3c-0bd5-47da-9113-066f3bd0c3e9; Reason: ({"code":"Forbidden","message":"\"Operation 'POST' on resource 'dbs' is not allowed through Azure Cosmos DB endpoint. Please switch on such operations for your account, or perform this operation through Azure Resource Manager, Azure Portal, Azure CLI or Azure Powershell

My expectation here is to be able to create DBs and Containers if they do not exist, using Managed Identity

I have already made a az cosmosdb sql role with sufficient permissions, and assigned it to the MI as well as me (for testing):

az cosmosdb sql role definition show --account-name subnetdelegator-westus-yinuh -g cosmostest4 -i 5d4d8955-51ad-5f1a-a377-894715803041
{
  "assignableScopes": [
    "/subscriptions/9b8218f9-902a-4d20-a65c-e98acec5362f/resourceGroups/cosmostest4/providers/Microsoft.DocumentDB/databaseAccounts/subnetdelegator-westus-yinuh"
  ],
  "id": "/subscriptions/9b8218f9-902a-4d20-a65c-e98acec5362f/resourceGroups/cosmostest4/providers/Microsoft.DocumentDB/databaseAccounts/subnetdelegator-westus-yinuh/sqlRoleDefinitions/5d4d8955-51ad-5f1a-a377-894715803041",
  "name": "5d4d8955-51ad-5f1a-a377-894715803041",
  "permissions": [
    {
      "dataActions": [
        "Microsoft.DocumentDB/databaseAccounts/readMetadata",
        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*"
      ],
      "notDataActions": []
    }
  ],
  "resourceGroup": "cosmostest4",
  "roleName": "DB Writer Role",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
  "typePropertiesType": "CustomRole"
}

The goal here is to be able to create a cosmos db, which gives the managed identity sufficient privileges to create dbs and containers

To Reproduce

var credential = new ManagedIdentityCredential('clientid');
_cosmosClient = new CosmosClient(endpointUri, credential);
_cosmosClient.CreateDatabaseIfNotExistsAsync("New DB"); // Fails

Expected behavior I would like the .Net app to be able to create dbs and containers, since the .net app has sufficient privileges per the az cosmosdb sql role definition

Actual behavior Failure seen in description

Environment summary SDK Version: 3.41.0 OS Version (e.g. Windows, Linux, MacOSX): Windows

Additional context Add any other context about the problem here (for example, complete stack traces or logs).

pjohnst5 commented 1 week ago

Ah, this may be why: in the db that fails for me, I have this set: "disableKeyBasedMetadataWriteAccess": true,

And I believe that the db creation needs keys?

However, with a different db with "disableKeyBasedMetadataWriteAccess" set to false, db creation also fails there (but container creation succeds)

So still would be nice to be able to create dbs when"disableKeyBasedMetadataWriteAccess" is false

ealsur commented 1 week ago

This is not a client SDK issue. Client SDKs do not perform any of these validations. According to public documentation, data plane SDKs cannot perform management plane operations with MSI: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model

That is what the error you are getting says.

disableKeyBasedMetadataWriteAccess seems to be a configuration on the resource, again, this is unrelated to the client SDK, it is not a configuration that the client sees or understands and the client is not validating, the HTTP 403 response comes from the service. Please reach out to the service or support team for clarification.