Grant AAD group data plane reader permission does not work
See original GitHub issueWe are continuously addressing and improving the SDK, if possible, make sure the problem persist in the latest SDK version.
Describe the bug I’m following the doc https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac to grant data reader permission to AAD group, then I use one user principal belonging to the AAD group to read container items, however error happens: Forbidden (403); Substatus: 5301; ActivityId: 3e1f99ac-458c-43ac-b557-b1eadd77fc4e; Reason: (Request blocked by Auth *** : Request is blocked because principal [****] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]. Learn more: https://aka.ms/cosmos-native-rbac.This could be because the user’s group memberships were not present in the AAD token.
To Reproduce First grant aad group data reader permission, then run code below to use credential belonging to the aad group:
CosmosClient client1 = new CosmosClient("https://***.documents.azure.com:443/", new InteractiveBrowserCredential());
var c1 = client1.GetContainer("Regional", "Infra");
var ret = c1.ReadItemAsync<InfraDoc>("***", new PartitionKey("lgn-rcp::LegionStamp")).Result;
Expected behavior A clear and concise description of what you expected to happen.
No error happens
Actual behavior Provide a description of the actual behavior observed.
Error happens
Environment summary SDK Version: OS Version (e.g. Windows, Linux, MacOSX)
Additional context Add any other context about the problem here (for example, complete stack traces or logs).
Issue Analytics
- State:
- Created a year ago
- Comments:7 (7 by maintainers)
Top GitHub Comments
@erich-wang Yeah, the documentation seems unclear. Please feel free to send feedback on that page (at the bottom) so the team working on AAD can update it/polish it.
@ealsur, thanks for follow-up. Based on document from https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#limits, it gives impression that Azure AD group has been supported for identities that belong to < 200 groups.