azure-webjobs-sdk-extensions
azure-webjobs-sdk-extensions copied to clipboard
Azure
CosmosDBTrigger fails to create container information using MSI
Repro steps
I'm attempting to use my local developer identity (logged in using az login) to develop an Azure Function with a CosmosDBTrigger using managed identity and RBAC.
My account has the following roles assigned both on subscription level, on the database account, on the database and on the container:
- Cosmos DB Account Reader Role
-
DocumentDB Account Contributor which includes the action
"Microsoft.DocumentDb/databaseAccounts/*"
Trigger
[CosmosDBTrigger(
"my-database-name",
"my-container-name",
Connection = "MyAppSetting",
MaxItemsPerInvocation = 1,
LeaseContainerName = "my-container-name-leases",
CreateLeaseContainerIfNotExists = true
)] IReadOnlyList<UserProfileDeletionRequest> documents,
and local.settings.json contains
"MyAppSetting__accountEndpoint": "https://my-database-name.documents.azure.com:443/",
Actual behavior
When the function starts I see this error message:
Microsoft.Azure.WebJobs.Host: Error indexing method 'MyFunction'. Microsoft.Azure.WebJobs.Extensions.CosmosDB: Cannot create container information for my-container-name in database my-database-name with lease my-container-name-leases in database my-database-name : Response status code does not indicate success: Forbidden (403); Substatus: 5301; ActivityId: <guid>; Reason: (Request blocked by Auth my-database-name : Request is blocked because principal <my-az-object-id> does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac.
As I wrote previously, my account does have assigned roles that include the required permissions. In fact, I have other containers in the same database that I have programmatically created so I know I have enough rights to manage containers.
Reading on docs.microsoft.com and this repo I'm partially leaning towards that CosmosDBTrigger might not fully support MSI and that I perhaps need to revert to a connection string? At least for local development? However, in that case I guess the error message is a bit confusing...
Another option; Looking at the ...on resource [/] part of the error message above. It makes me think that I might miss some configuration? I.e,. that the MyAppSetting prefix should have more than just the __accountEndpoint value. Perhaps a __databaseAccountId or something like that? But it doesn't mention anything like that in the documentation here.
Expected behavior
Either, I'd expect this to work according to what's in the documentation here. Or, I'd expect the documentation to be clear that it is not a supported behaviour as of now.
Related information
Running on mac using OS Monterey 12.4.
dotnet --version
6.0.100
func -version
4.0.3971
<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.6.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.3.0" OutputItemType="Analyzer" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.0.13" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.CosmosDB" Version="4.0.0-preview2" />
<PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Storage" Version="5.0.0" />
<PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.2" />
<PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="5.2.9" />
I just tried deploying the app and can verify that I'm getting the same error when run in Azure. So it's not just due to local development mode.
Please follow the link in the error: https://aka.ms/cosmos-native-rbac
You cannot perform collection/database creation operations when authenticating with MSI, that is by design on Cosmos DB.
If you believe you should be able to access or perform this operation with the MSI identity, file a support ticket. MSI auditing and authorization is not a client side operation, the service is performing that validation and it has nothing to do with the extension code.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
