question

JayBloodworth-8708 avatar image
0 Votes"
JayBloodworth-8708 asked JayBloodworth-8708 commented

Using ManagedIdentity with node.js web app to access Cosmos DB

I am trying to create a node.js web application using App Services that pulls data from a Cosmos DB database. To provide authorization, I created a Managed Identity for the web app and assigned it the Cosmos DB Account Reader Role under IAM for the Cosmos DB. The code for my app is below

const express = require('express');
const { ManagedIdentityCredential, DefaultAzureCredential } = require('@azure/identity');
const { CosmosClient } = require("@azure/cosmos");


const endpoint = "https://redacted:443/";
const aadCredentials = new ManagedIdentityCredential();
//const aadCredentials = new DefaultAzureCredential();


const client = new CosmosClient({endpoint, aadCredentials});
const container = client.database('quotedb').container('quotes');

const port = process.env.PORT || 3000;

const app = express()

app.get('/api/quote/:who', async (req, res) => {
    const { resources: quotes } = await container.items
        .query(`SELECT * FROM c WHERE c.character = '${req.params.who}'`).fetchAll();
    const quote = quotes[Math.floor(Math.random() * quotes.length)];
    res.json({who: req.params.who, quote});
});

app.use('/', express.static('static'));

app.listen(port, async () => {
    console.log(`Listening on ${port}`);
});


All of the relevant modules have been installed. However, when I attempt to access the REST endpoint it doesn't work. The error in the logs says Access denied because principal xxx does not have RBAC permissions to perform action Microsoft.DocumentDB/databaseAccounts/readMetadata on /. The xxx does match the id I see for my ManagedIdentity in the Identity blade for the web app. Looking at the role definition for the Account Reader role I see that that permission is indeed missing. I suppose I can create a custom role that adds that specific permission, but the fact that the Reader role by itself is not working makes me suspect that I have done something else wrong.

The web app is using the free tier and the Cosmos DB instance is running under the Serverless configuration. This is just a "toy" app for my learning, but I would appreciate help in understanding what is going wrong. Thank you.

azure-webappsazure-cosmos-db
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

OuryBa-MSFT avatar image
0 Votes"
OuryBa-MSFT answered JayBloodworth-8708 commented

Hi @JayBloodworth-8708
Thank you for posting your question on Microsoft Q&A and for using Azur services.
From my understanding, you are not able to access the REST endpoint even after assign the permissions on the web app and cosmos db.
Try to create your custom CosmosDBReadWrite role by following the example in this article.

To create the custom role definitions and assignments, you will need to have the Azure CLI installed.

As the document below mentioned, we can access Cosmos DB with Managed Identity.

How to use a system-assigned managed identity to access Azure Cosmos DB data | Microsoft Docs

184139-image.png

184217-image.png

Regards,
Oury



image.png (35.5 KiB)
image.png (25.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JayBloodworth-8708 I see that this issue is opened a long time ago and no further activity had taken place. So, wanted to check if you are still looking for assistance on this query? Please let us know.

0 Votes 0 ·

Yes, thank you. I actually discovered this myself shortly after posting. Sorry for not updating the post.

1 Vote 1 ·

Hi @JayBloodworth-8708 Please see my updated answer above and let us know if that helped resolve the issue.

Regards,
Oury

0 Votes 0 ·