Closed pjohnst5 closed 1 week ago
Ah, this may be why:
in the db that fails for me, I have this set:
"disableKeyBasedMetadataWriteAccess": true,
And I believe that the db creation needs keys?
However, with a different db with "disableKeyBasedMetadataWriteAccess"
set to false
, db creation also fails there (but container creation succeds)
So still would be nice to be able to create dbs when"disableKeyBasedMetadataWriteAccess"
is false
This is not a client SDK issue. Client SDKs do not perform any of these validations. According to public documentation, data plane SDKs cannot perform management plane operations with MSI: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model
That is what the error you are getting says.
disableKeyBasedMetadataWriteAccess
seems to be a configuration on the resource, again, this is unrelated to the client SDK, it is not a configuration that the client sees or understands and the client is not validating, the HTTP 403 response comes from the service. Please reach out to the service or support team for clarification.
Describe the bug Hello, I am using managed identity to connect to a cosmos db from a .net application (I also work for Microsoft, Azure) I see on the following error when trying to
CreateDatabaseIfNotExistsAsync()
:My expectation here is to be able to create DBs and Containers if they do not exist, using Managed Identity
I have already made a
az cosmosdb sql role
with sufficient permissions, and assigned it to the MI as well as me (for testing):The goal here is to be able to create a cosmos db, which gives the managed identity sufficient privileges to create dbs and containers
To Reproduce
Expected behavior I would like the .Net app to be able to create dbs and containers, since the .net app has sufficient privileges per the
az cosmosdb sql role definition
Actual behavior Failure seen in description
Environment summary SDK Version:
3.41.0
OS Version (e.g. Windows, Linux, MacOSX):Windows
Additional context Add any other context about the problem here (for example, complete stack traces or logs).