Skip to content

Add RBAC "Cosmos DB Built-in Data Contributor" role for cosmos-db to the OSDU Identity principal

saketh somaraju [EPAM] requested to merge az/sa-add-cosmosdb-roles into master

All Submissions:


  • [YES] Have you added an explanation of what your changes do and why you'd like us to include them?
  • [YES] I have updated the documentation accordingly.
  • [YES] My code follows the code style of this project.

Current Behavior or Linked Issues


  • Adding built-in RBAC Cosmos DB Built-in Data Contributor role for cosmos-db to the OSDU Identity principal.
  • When AZURE_MSI_ISENABLED falg is enabled, file service and other services which are using Cosmos-DB could not access the cosmos-db endpoint with lack of permissions.

Error facing without Cosmos RBAC permissions - "Request blocked by Auth osdu-mvp-dp1glab-ky7v-db : Request is blocked because principal [1c65e811-fc01-4f6b-89bd-8b052b464971] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource [/]."

  • After these permissions are assigned to the OSDU identity principal, services should connect with cosmos db with no issues, even with AZURE_MSI_ISENABLED falg is enabled.

Tested changes with the following pipelines

Does this introduce a breaking change?


  • [NO]
Edited by saketh somaraju [EPAM]

Merge request reports

Loading