According to this document, you just can create a container. But that is certainly not true.
I did some search and asked chatbot, and they seems to confirm that I need these roles for my account to create new contaienrs.
Cosmos DB Built-in Data ContributorCosmos DB Operator
I have created an account with these two roles, and have create a cosmos db manually. But my application using this account still cannot create new containers. It got 403 error when calling the CreateContainerIfNotExistsAsync method.
What role/permission am I missing for my account?
Thanks
According to this document, you just can create a container. But that is certainly not true.
I did some search and asked chatbot, and they seems to confirm that I need these roles for my account to create new contaienrs.
Cosmos DB Built-in Data ContributorCosmos DB Operator
I have created an account with these two roles, and have create a cosmos db manually. But my application using this account still cannot create new containers. It got 403 error when calling the CreateContainerIfNotExistsAsync method.
What role/permission am I missing for my account?
Thanks
Share Improve this question edited Nov 21, 2024 at 14:03 David Makogon 71k22 gold badges145 silver badges197 bronze badges asked Nov 21, 2024 at 1:13 David S.David S. 11.2k13 gold badges74 silver badges111 bronze badges 3- Assign the "Cosmos DB Account Contributor" role to your account, this role will allow you to create containers along with managing the Cosmos DB account’s resources. – Balaji Commented Nov 21, 2024 at 2:49
- Could you share which 403 error it was showing. – Balaji Commented Nov 21, 2024 at 6:56
- Sorry, I gave up and used TF to create containers manually. – David S. Commented Nov 22, 2024 at 0:15
1 Answer
Reset to default 0Assign Cosmos DB Operator role to your application (maybe you are using sp to invoke the request?)
The actually action you need is Microsoft.DocumentDB/databaseAccounts/tables/containers/entities/create, But Microsoft does not provide such fine-grained roles, and if you check the Cosmos DB operator details
"properties": {
"roleName": "Cosmos DB Operator",
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
the container entity create action is included in "Microsoft.DocumentDb/databaseAccounts/*"
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1742319759a4421570.html
评论列表(0条)