Add RBAC "Cosmos DB Built-in Data Contributor" role for cosmos-db to the OSDU Identity principal (!865) · Merge requests · OSDU Software / OSDU Data Platform / Deployment and Operations / infra-azure-provisioning

saketh somaraju [EPAM] requested to merge az/sa-add-cosmosdb-roles into master Jun 21, 2023

All Submissions:

[YES] Have you added an explanation of what your changes do and why you'd like us to include them?
[YES] I have updated the documentation accordingly.
[YES] My code follows the code style of this project.

Current Behavior or Linked Issues

Adding built-in RBAC Cosmos DB Built-in Data Contributor role for cosmos-db to the OSDU Identity principal.
When AZURE_MSI_ISENABLED falg is enabled, file service and other services which are using Cosmos-DB could not access the cosmos-db endpoint with lack of permissions.

Error facing without Cosmos RBAC permissions - "Request blocked by Auth osdu-mvp-dp1glab-ky7v-db : Request is blocked because principal [1c65e811-fc01-4f6b-89bd-8b052b464971] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]."

After these permissions are assigned to the OSDU identity principal, services should connect with cosmos db with no issues, even with AZURE_MSI_ISENABLED falg is enabled.

Tested changes with the following pipelines

Does this introduce a breaking change?

[NO]

Edited Jun 21, 2023 by saketh somaraju [EPAM]

Add RBAC "Cosmos DB Built-in Data Contributor" role for cosmos-db to the OSDU Identity principal

All Submissions:

Current Behavior or Linked Issues

Does this introduce a breaking change?

Merge request reports