I am trying to create a data-plane role assignment for my Cosmos DB for my Azure Web App / Function app to access using their System-Assigned Managed Identity.
I have tried assigning the Cosmos DB Built-In Data Contributor (Role Definition ID: 00000000-0000-0000-0000-000000000002) using both Azure CLI and PowerShell:
New-AzCosmosDBSqlRoleAssignment
and
az cosmosdb sql role assignment create
The first command gives me back a RoleAssignmentId and the second command returns nothing after running. I assume both are successful.
However, if I run Get-AzRoleAssignment -ObjectId using ObjectId of the Managed Identities I am trying to assign to, they do not show up.
I have read that since this is a data-plane role, they don't show up in the Azure Portal UI. However, would it also not show up when running any "Get" Role Assignments command in Azure CLI/PowerShell?
I have also tried creating a custom role with data-plane actions (like /readmetadata) and assigning this. However it does not show in any Get commands.
Even if these Role Assignments do not show, are they still valid?
Since you are assigning a data-plane role, these roles will not appear when using Get-AzRoleAssignment or similar Get commands from ARM because those commands are querying control-plane role assignments. Data-plane roles are managed entirely within the Cosmos DB service and not by ARM, so they won’t show up in the portal UI or when querying ARM-based role assignments.
To verify that your data-plane RBAC assignment was successful, you can use the az cosmosdb sql role assignment list command, which specifically queries data-plane roles within Cosmos DB:
az cosmosdb sql role assignment list --account-name <cosmos-db-account> --resource-group <resource-group>
This command will show the data-plane role assignments for your Azure Cosmos DB account, including those assigned to the managed identity.