[BUG] Azure AI Search datasource / indexer cannot run when "Cosmos DB Built-in Data Reader" assigned at database scope

[steven-kehrli-submittable]

API Spec link

https://github.com/Azure/azure-rest-api-specs/blob/main/specification/search/data-plane/Azure.Search/preview/2024-09-01-preview/searchindex.json

API Spec version

2024-09-01-preview

Describe the bug

Azure AI Search Datasource / Indexer does not work when "Cosmos DB Built-in Data Reader" is scoped to the database. Does work when scope to the account.

Expected behavior

Can assign the "Cosmos DB Built-in Data Reader" role to that identity at the database scope and the Azure AI Search datasource / indexer works.

Actual behavior

Fails with Error with data source: The connection to the Cosmos DB database 'ToDoList' could not be made due to missing authorizations. Please adjust your data source definition in order to proceed.

Reproduction Steps

1. Our CosmosDB NoSQL is secured to RBAC. We created an Azure AI Search service with a system-assigned identity.
2. We assigned the "Cosmos DB Account Reader Role" role to that identity at the account scope (az role assignment create)
3. We assigned the "Cosmos DB Built-in Data Reader" role to that identity at the database scope (az cosmosdb sql role assignment create)
4. We created an Azure AI Search datasource to query a container under that database (REST API).
5. We created an Azure AI Search index (REST API).
6. We tried to create an Azure AI Search indexer for that datasource and indexer (REST API).
7. Got the following error: Error with data source: The connection to the Cosmos DB database 'ToDoList' could not be made due to missing authorizations. Please adjust your data source definition in order to proceed.

If we change step 3 to assign "Cosmos DB Built-in Data Reader" role to that identity at the account scope, it works.

Environment

No response

[v-jiaodi]

@jonathanserbent Please help take a look, thanks.