azureazure-cosmosdbazure-cli

Cannot assign Azure Role for cosmos db


I am trying to assign an identity a role to read/write to cosmos db. I run this command:

az role assignment create \
--assignee <sp_object_id> \
--role "00000000-0000-0000-0000-000000000002" \
--scope "/subscriptions/<subscriptionId>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmos-db-name>"

This is the error I get back:

The specified role definition with ID '00000000000000000000000000000002' does not exist.

I have tried with the role name to no avail. I have tried the GUI, but this role is not visible anywhere there.

How can I assign this role?


Solution

  • The RBAC on Azure Cosmosdb is built similar to Azure RBAC where there is more granular control on the data operations instead of Azure resource management. The permission model describes in detail.

    During implementations where SDK are used to interact with the dataplane (e.g, writing data or reading data), the application should be provided with granular data level permissions. Data plane level permission cannot be given from the portal.

    Following command provides "data contributor" permissions on the "container1" within the database but only "data reader" on "container2" within the same database

    az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Contributor" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerOneName }}" --principal-id $(umiObjectId)
    
    az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Reader" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerTwoName }}" --principal-id $(umiObjectId)
    

    Again above example only shows usage of built-in CosmosDB Data Plane RBAC, it is good practice to have custom roles for more fine grained access within each container.

    NOTE: Azure CosmosDB data containers are not Azure Resources, meaning cannot be created by Azure Resource Model (ARM). So this permission model fulfills the authorization need with many security benefits