question

VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 asked VikasTiwari-2263 commented

Assign RBAC to APIM managed identity for cosmos db not working

I am trying to assign cosmos db built in role to managed identity created under APIM, so that my APIM proxy can authenticate cosmos db and fetch data.
I have used following bicep file, which runs successfully but when I see managed identity in my APIM managed identity, its not showing any role assigned to it, also when I tried to test my APIM proxy I am getting unauthorized error, following is my bicep file:

 @maxLength(44)
 param CosmosAccountName string
    
 resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' existing = {
   name: CosmosAccountName
 }
    
 @maxLength(50)
 param ApiManagementName string
    
 resource apimanagement 'Microsoft.ApiManagement/service@2021-01-01-preview' existing = {
   name: ApiManagementName
 }
    
 var roleDefinitionId = guid('sql-role-definition-', apimanagement.id, cosmosAccount.id)
 var roleAssignmentId = guid(roleDefinitionId, apimanagement.id, cosmosAccount.id)
    
 @description('Friendly name for the SQL Role Definition')
 param roleDefinitionName string = 'Cosmos DB Account Reader Role'
    
 @description('Data actions permitted by the Role Definition')
 param dataActions array = [
   'Microsoft.DocumentDB/databaseAccounts/readMetadata'
   'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read'
   'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery'
   'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed'
 ]
    
 resource sqlRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-04-15' = {
   name: '${cosmosAccount.name}/${roleDefinitionId}'
   properties: {
     roleName: roleDefinitionName
     type: 'BuiltInRole'
     assignableScopes: [
       cosmosAccount.id
     ]
     permissions: [
       {
         dataActions: dataActions
       }
     ]
   }
 }
    
 resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-04-15' = {
   name: '${cosmosAccount.name}/${roleAssignmentId}'
   properties: {
     roleDefinitionId: sqlRoleDefinition.id
     principalId: apimanagement.identity.principalId
     scope: cosmosAccount.id
   }
 }
azure-api-managementazure-cosmos-dbazure-rbac
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @VikasTiwari-2263 - Sorry for the late reply. I'm seeing the same issue as well and I will look into it and share my findings with you here. At the preliminary, it looks like an implication with how the Cosmosdb RBAC data operations are independent from Azure RBAC ones.


0 Votes 0 ·

@MikeUrnun Thanks for looking into it. here are few troubleshooting steps I tried and noticed following behaviors:

1) I have tried to manually assigned the same roles (from portal) and after couple of refresh its showing roles under managed identity
2) Then I removed role and ran the template again
3)No luck, again its not showing assigned role within managed identity
4) I tried to process the request from APIM and its working as per assigned roles
5) Re-verify role again from portal and managed identity not showing any roles on portal, but requests are working fine.


0 Votes 0 ·

@MikeUrnun Did you get any work around on this? I am seeing same issue for other roles as well, I have assigned "Event hub sender role" through bicep to APIM system assigned managed identity it deployed successfully but when I went to portal its not showing any assignment. I have tried both scope at event hub namespace and event hub level.

0 Votes 0 ·

0 Answers