Principal does not have permissions to perform "databaseAccounts/readMetadata" on resource "/"

Question

I have a CosmosDB account:

az cosmosdb list | jq 'map({"name": .name, "identity": .identity})'
[
  {
    "name": "redacted-db-account",
    "identity": {
      "principalId": null,
      "tenantId": null,
      "type": "userassigned",
      "userAssignedIdentities": {
        "/subscriptions/a/resourcegroups/b/providers/Microsoft.ManagedIdentity/userAssignedIdentities/redacted-agentpool": {
          "clientId": "bcaf6b6b-...",
          "principalId": "be4a3128-..."
        }
      }
    }
  }
]

The redacted-agentpool identity has the following role assignments:

az role assignment list --assignee be4a3128-... --all | jq 'map([.roleDefinitionName, .scope])'
[
  [
    "DocumentDB Account Contributor",
    "/subscriptions/a/resourceGroups/b/providers/Microsoft.DocumentDB/databaseAccounts/redacted-db-account"
  ],
  [
    "Cosmos DB Operator",
    "/subscriptions/a/resourceGroups/b/providers/Microsoft.DocumentDB/databaseAccounts/redacted-db-account"
  ]
]

Now when I run my Python application inside the Kubernetes cluster, I get the following error:

azure.cosmos.exceptions.CosmosHttpResponseError: (Forbidden) Request
blocked by Auth redacted-db-account : Request is blocked because 
principal [be4a3128-...] does not have required RBAC permissions to 
perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] 
on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac.

I am pretty new to Azure, but this seems inexplicable to me. Can someone please explain what steps I could take to even debug this? I am pretty much out of ideas.

The aka.ms link in the error explains it: https://aka.ms/cosmos-native-rbac. The roles you have assigned are for management purposes, you need to define the Data roles for your principal — Matias Quaranta, Jul 03 '23 at 18:13

score 0 · Answer 1 · answered Jul 02 '23 at 11:50

It seems like you need permission for Microsoft.DocumentDB/databaseAccounts/readMetadata

Based on this link: https://learn.microsoft.com/en-gb/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions

It seems like the roles:

Cosmos DB Built-in Data Reader
Cosmos DB Built-in Data Contributor

Would have that.

The DocumentDB Account Contributor

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#documentdb-account-contributor

and Cosmos DB Operator

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/cosmos-db/role-based-access-control.md#built-in-roles

don't seem to be designed for that.

Looking at [Cosmos DB Operator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#cosmos-db-operator), the first permission listed is `Microsoft.DocumentDb/databaseAccounts/*`. I assume the wildcard matches the `readMetadata` as well. Am I missing something? — Victor, Jul 02 '23 at 12:26

Principal does not have permissions to perform "databaseAccounts/readMetadata" on resource "/"

1 Answers1