Share via

How to use Azure Cosmos DB REST (Data plane) API with AAD RBAC?

James G Foster 46 Reputation points
2021-06-29T22:24:30.62+00:00

I am attempting to make a REST request following these instructions which states "The Azure Cosmos DB RBAC is currently supported with the 2021-03-15 version of REST API." Yet when I make a request I get the response "Invalid API version. Ensure a valid x-ms-version header value is passed."

According to this the "latest version" is 2017-02-22 but there are a number of more recent versions, the most recent of which is 2018-12-31. If I switch to 2018-12-31 I get the error "Request blocked by Auth hts : Provided token does not have a valid signature. Please ensure that the AAD token is not being modified before use." I'm pretty sure the token is valid since I can decode it here.

Following is the relevant Dart code: 

   Future<String> getCollections() async {  
       await waitForInitialization();  
       var url = 'https://$_account.documents.azure.com/dbs/$databaseName/colls/';  
       var uri = Uri.parse(url);  
       var headers = {  
         'Authorization': 'type=aad&ver=1.0&sig=$_token',  
         'Content-Type': 'application/json',  
         'x-ms-version': '2021-03-15',  
       };  
       var response;  
       try {  
         response = await http.get(uri, headers: headers);  
       } catch (e) {  
         throw StateError(e.toString());  
       }  
       if (response.statusCode != 200) {  
         throw StateError(response.body);  
       }  
       return response.body;  
     }
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,476 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,942 questions
Accepted answer
  1. Saurabh Sharma 23,766 Reputation points Microsoft Employee
    2021-07-02T23:12:24.937+00:00

    Hi @James G Foster ,

    I have checked the REST call with .NET code and it works fine with the above scope and with "x-ms-version" as "2018-12-31".
    111418-image.png
    Also, please make sure that you are providing RBAC permissions as mentioned over here
    I have assigned "Cosmos DB Built-in Data Contributor" role for my testing and it worked as expected.
    111501-image.png
    111492-image.png

    Result-
    111446-image.png

    Also, here is how my token payload looks like -
    111437-image.png

    I having internal discussion with the products team as it looks like the version mentioned in the documentation is incorrect. Please let me know if you have any questions.

    Thanks
    Saurabh

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Somya Srivastava 0 Reputation points
    2024-05-16T05:33:25.6933333+00:00

    I am also using https://login.microsoftonline.com/$_tenantId/oauth2/v2.0/token endpoint to generate the token but the signature is different than yours. Do I need to do something else to get HMACSHA256 encrypted token?

    User's image

    0 comments