Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

COSMOSDB - Unable to query with newly generated resourcetoken (.NET)

See original GitHub issue

Issue Transfer

This issue has been transferred from the Azure SDK for .NET repository, #33545.

Please be aware that @iprashantp is the author of the original issue and include them for any questions or replies.

Details

Package Name: Microsoft.Azure.Cosmos
Package Version: 3.12.0
Operating system: Windows
Is the bug related to documentation in
- SDK API docs on MS Docs

Describe the bug Unable to perform CRUD with newly generated resource token with ALL permissions.

private async Task RefreshResourceToken(String user, PermissionMode permission)
        {
            CosmosClient client = new CosmosClient(Program.EndpointUri, Program.PrimaryKey, new CosmosClientOptions() { ApplicationName = "CosmosDBDotnetQuickstart" });
            Database db = client.GetDatabase(this.databaseId);
            User userId = db.GetUser(user);
            Container container = db.GetContainer(this.containerId);

            PermissionResponse permissionResponse;
            PermissionProperties permissionPropertiesproperties = new(
                        id: "permission01read",
                        permissionMode: permission,
                        container: container
                        );

            //permissionResponse = await userId.CreatePermissionAsync(permissionPropertiesproperties);
            permissionResponse = await userId.UpsertPermissionAsync(permissionPropertiesproperties);
            this.ResourceToken = permissionResponse.Resource.Token;
            
            this.cosmosClient = new CosmosClient(accountEndpoint: Program.EndpointUri, authKeyOrResourceToken: this.ResourceToken);
            await this.CreateDatabaseAsync();
            await this.CreateContainerAsync();
            await this.ScaleContainerAsync();
        }

To Reproduce Steps to reproduce the behavior:

Created a user,
Created Permission with read or ALL permission,
From permission fetched the resource token, stored it.
Using the resource token, create cosmos client and use it with the permissions it has.
Once the resource token expires, create another resource token as shown in the function, with ALL permissions.
Unable to query because of the following issue:

Reason: (**Insufficient permissions provided in the authorization header for the corresponding request. Please retry with another authorization header.**
ActivityId: 6c04888e-ded2-4723-a576-51c3a4ef5958, Microsoft.Azure.Documents.Common/2.14.0, Please see CosmosDiagnostics, Windows/10.0.22621 cosmos-netstandard-sdk/3.11.4);

Expected behavior Should be able to perform CRUD with the newly generated resource token.

Issue Analytics

State:
Created 8 months ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

iprashantpcommented, Jan 18, 2023

Thanks. We can close this one.

1reaction

ealsurcommented, Jan 18, 2023

By definition that would not work, right? Your permissions are scoped to a Container, if you are trying to do operations outside of the Container (for example, creating a Database), that should fail and it’s expected, because the scope is outside the Container you selected, isn’t it?