1

I am attempting to make a REST request following these instructions which states "The Azure Cosmos DB RBAC is currently supported with the 2021-03-15 version of REST API." Yet when I make a request I get the response "Invalid API version. Ensure a valid x-ms-version header value is passed."

According to this the "latest version" is 2017-02-22 but there are a number of more recent versions, the most recent of which is 2018-12-31. If I switch to 2018-12-31 I get the error "Request blocked by Auth hts : Provided token does not have a valid signature. Please ensure that the AAD token is not being modified before use."

Update: As requested in the comments I'm including some (Dart) code:

  Future<String> getCollections() async {
    await waitForInitialization();
    var url = 'https://$_account.documents.azure.com/dbs/$databaseName/colls/';
    var uri = Uri.parse(url);
    var headers = {
      'Authorization': 'type=aad&ver=1.0&sig=$_token',
      'Content-Type': 'application/json',
      'x-ms-version': '2021-03-15',
    };
    var response;
    try {
      response = await http.get(uri, headers: headers);
    } catch (e) {
      throw StateError(e.toString());
    }
    if (response.statusCode != 200) {
      throw StateError(response.body);
    }
    return response.body;
  }
Ecstasy
  • 1,866
  • 1
  • 9
  • 17
James Foster
  • 2,070
  • 10
  • 15

1 Answers1

1

I know this is super old but in case anyone stumbles upon this question, I have a working example in Powershell. https://github.com/ArunasFalcon/CosmosDBRBACQueryTool

The essential stuff to know:

The trickiest part was figuring out how to produce the auth header.

An AAD token must be requested for the account attempting to sign in to Cosmos DB using RBAC with scope https://cosmos.azure.com, and the authorization header is generated by url encoding type=aad&ver=1.0&sig=<the token>.

Some gotchas when running the query on the cosmos db rest api:

The following headers must be provided:

  • "x-ms-version" = "2018-12-31"
  • "x-ms-date" header must contain the current date according to RFC1123 pattern
  • "x-ms-documentdb-isquery" = "True"
  • "Content-Type" = "application/query+json" for queries

See the whole list of headers at Common Azure Cosmos DB REST request headers

There is also a list of queries that cannot be served by gateway which include (at the time of writing) pretty important stuff like offset limit, group by and order by.

The F
  • 15
  • 4