Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Insufficient Permissions with resourceTokens for multiple partitions

See original GitHub issue

Package Name: @azure/cosmos
Package Version: 3.9.3
Operating system: Windows 10
nodejs
- version: v14.15.0
browser
- name/version: Chrome/86.0.4240.183
typescript
- version: 3.9.7
Is the bug related to documentation in
- README.md
- source code documentation
- SDK API docs on https://docs.microsoft.com

Describe the bug Queries against a database will fail with Error 403 Insufficient permissions provided in the authorization header for the corresponding request. when the user authenticates using a permission that grants access to multiple partition keys for a given container.

Limiting the query to the valid partition keys, either via the FeedOptions (which only allows one key and fails otherwise), or the query, does not get rid of this issue.

To Reproduce Steps to reproduce the behavior:

Create a user with a permission for a container including multiple partition keys
Try to query the data with the given permission, for example:

SELECT *
FROM c
WHERE c.partitionKey="someValue"

Expected behavior There has to be a way for a query to be limited to the allowed scope. For example via the query directly or as the partitionKey parameter within the FeedOptions

Issue Analytics

State:
Created 3 years ago
Comments:13 (5 by maintainers)

Top GitHub Comments

1reaction

ranrollscommented, Dec 31, 2021

Need to know how permission token can be used to access all docs in collection

https://github.com/Azure/azure-sdk-for-js/issues/4972#issuecomment-1002887905

1reaction

zfostercommented, Nov 17, 2020

@joeyboey unfortunately in the SDK there isn’t a way to pass all of those resource tokens. However, for querying, what you could do is create all of those permissions and make an object of them, then use tokenProvider on the client (allows you to provide the token per request via a callback function.

const tokens = {
  collectionId1: {
    partitionkey1: "token",
    partitionkey2: "token2"
  }
};
 
// Note: This is probably more complex
function getToken(collectionId, partitionkey) {
  return tokens[collectionId][partitionkey];
}
 
// Use only for queries
const queryClient = new CosmosClient({
  endpoint: "foo",
  key: "foo",
  tokenProvider: request => {
    const partitionKey = request.headers["x-ms-partitonkey"]; // comes in header form, needs to be extracted, e.g., "["partitionKey1"]"
    return getToken(request.resourceId, partitionKey);
  }
});

You would also need to extract the partition key from the header. This is somewhat cumbersome, but might work for your use case. Our resource token model isn’t great right now.

Top Results From Across the Web

Azure cosmos db issues with connection by resource token

The Cosmos DB resource token will be generated when the permission been built. We can use resource token to connect to Cosmos DB...

Use Azure Cosmos DB resource tokens with the Gremlin SDK

A common error that applications encounter while they're using resource tokens is, "Insufficient permissions provided in the authorization ...

Cosmos DB Resource Token Broker - Medium

At the time writing, resource tokens are the only possible way to restrict access to containers at the partition level. Using token permissions...

Bootstrapping - AWS Cloud Development Kit (AWS CDK) v2

These resources include an Amazon S3 bucket for storing files and IAM roles that grant permissions needed to perform deployments. The required resources...

Error opening adapter dolphin insufficient permissions

Here's an easy fix for error: insufficient permissions for device error with ... cannot recognize the segment has an index partitions, neither can...