Facing issue with creating new cosmos db context about cosmosdb HOT 10 OPEN

Hi @vasanthkumar258,
The function Get-CosmosDbEntraIdToken is only available in the v5.0.0+ version of the CosmosDB module. There is only a preview version of the module published to PowerShell Gallery so far. I plan to publish a full release once my Azure credit has rolled over (so the integration tests can run).

What version of the Az.Account module is installed? The v5.0.0 version of the module depends on (and will automatically install) v2.19.0. I haven't tested with earlier versions of this module.

from cosmosdb.

@PlagueHO, what about this issue
Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)

Content:
{"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-hipri.documents.azure.com/ is not a supported MSI token audience. Supported audiences: https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.office365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}}

from cosmosdb.

Hi @vasanthkumar258 - the function Get-AzAccessToken is provided by the Az.Account module - can you run Get-Module -Name Az.Account to see what version is being used?

from cosmosdb.

Hey @PlagueHO , I am running v2.19.0 of Az.Accounts in Azure cloud shell.. But in documentation its mentioned as Az.Account.. But when I tried to install this I got an error

C:\WINDOWS\system32> Install-Module -Name Az.Account
PackageManagement\Install-Package : No match was found for the specified search criteria and module name 'Az.Account'.
Try Get-PSRepository to see all available registered module repositories.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21

• ... $null = PackageManagement\Install-Package @PSBoundParameters

•                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Ex
    ception
  • FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

from cosmosdb.

Hey @PlagueHO , I installed a prerelease version.. but when I execute the "$entraIdOAuthToken = Get-CosmosDbEntraIdToken -Endpoint 'https://cosmos-cxpes-ppe-*****.documents.azure.com'" but still getting below error

Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content:
{"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-*****.documents.azure.com is not a supported MSI token audience. Supported
audiences:
https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.offic
e365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net
,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8
694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85
cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427
f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d
74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}} Headers: X-Powered-By: REDACTED ETag: W/"4d1-rUhcpPTlFmqXlRv/iJgNoMnWvCs" Date: Thu, 23 May 2024
05:44:22 GMT Connection: keep-alive Keep-Alive: REDACTED Content-Type: application/json; charset=utf-8 Content-Length: 1233 See the troubleshooting guide for more
information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

from cosmosdb.

Hi @vasanthkumar258 - hmm. Have you assigned a data plane RBAC role to the Cosmos DB account as per this doc: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

For example, we do this in the integration tests here: https://github.com/PlagueHO/CosmosDB/blob/main/tests/Integration/CosmosDB.integration.Tests.ps1#L887

I'm wondering if Get-AzAccessToken will only return a token with the Cosmos DB audiences if the identity has a data plane RBAC role on the Cosmos DB. I never tested it without.

from cosmosdb.

@PlagueHO , There is RBAC role assigned even then I am getting above issue

from cosmosdb.

Hi @vasanthkumar258 - ah, I see the issue. These are Management RBAC assignments. You need to do Data plane RBAC assignments which unfortunately can't be done via the Azure Portal. This page doesn't make that very clear.

For example: the Contributor assigned to an Azure Cosmos DB account does not give Data Plane access to the Cosmos DB.

Instead, you need to use the New-AzCosmosDBSqlRoleAssignment to assign a Data Plane RBAC role to the account or database or container. For example:

$accountName = '<your Cosmos DB account>'
$resourceGroup = '<your RG containing Cosmos DB>'
$roleDefinitionId = '00000000-0000-0000-0000-000000000002'  # This is built-in Cosmos DB Built-in Data Contributor role
$principalId = '<This object ID for the user/service principal/group>'

New-AzCosmosDBSqlRoleAssignment `
    -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionId $roleDefinitionId ` 
    -Scope "/" `
    -PrincipalId $principalId

You can also create custom RBAC data plane roles and assign them via:

• Bicep/ARM/TF
• Azure CLI or Azure PowerShell.

Does this make sense?

I did a demo of this (was using a C# client but works the same) a few days ago and here is my sample PowerShell I was using to configure the Account and containers: https://github.com/PlagueHO/whats-new-in-cosmos-db-2024/blob/main/configurecosmosdbrbac.ps1#L63

from cosmosdb.

I've raised a separate issue to improve the docs to make this clearer. I might also see if I can work with Cosmos DB team to improve their docs (it's not super clear there either).

Just some more info. These are the built-in Data plane RBAC roles:

But you won't find them in Azure RBAC in the Portal -they're only seen in PowerShell/Az CLI via the:

Get-AzCosmosDBSqlRoleDefinition `
    -AccountName $accountName `
    -ResourceGroupName $resourceGroupName

from cosmosdb.

@vasanthkumar258 - did you get a chance to see if this resolved your issue?

from cosmosdb.