Skip to content

Commit 285a578

Browse files
v-dirichardsv-dirichards
authored
Merge pull request #209255 from enkrumah/cosmosdbmiupdate
updated steps needed to assign rbac role
2 parents 1f29e42 + 64e4afa commit 285a578

File tree

1 file changed

+7
-11
lines changed

1 file changed

+7
-11
lines changed

articles/stream-analytics/cosmos-db-managed-identity.md

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: enkrumah
55
ms.author: ebnkruma
66
ms.service: stream-analytics
77
ms.topic: how-to
8-
ms.date: 08/09/2022
8+
ms.date: 08/30/2022
99
ms.custom: subject-rbac-steps
1010
---
1111

@@ -43,19 +43,15 @@ For the Stream Analytics job to access your Cosmos DB using managed identity, th
4343
|---------|
4444
|Cosmos DB Built-in Data Contributor|
4545

46-
1. Select **Access control (IAM)**.
46+
> [!IMPORTANT]
47+
> Cosmos DB data plane built-in role-based access control (RBAC) is not exposed through the Azure Portal. To assign the Cosmos DB Built-in Data Contributor role, you must grant permission via Azure Powershell. For more information about role-based access control with Azure Active Directory for your Azure Cosmos DB account please visit the: [Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account documentation.](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac/)
4748
48-
2. Select **Add** > **Add role assignment** to open the **Add role assignment** page.
49+
The following command can be used to authenticate your ASA job with Cosmos DB. The `$accountName` and `$resourceGroupName` are for your Cosmos DB account, and the `$principalId` is the value obtained in the previous step, in the Identity tab of your ASA job. You need to have "Contributor" access to your Cosmos DB account for this command to work as intended.
4950

50-
3. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
51+
```azurecli-interactive
52+
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName -ResourceGroupName $resourceGroupName -RoleDefinitionId '00000000-0000-0000-0000-000000000002' -Scope "/" -PrincipalId $principalId
5153
52-
| Setting | Value |
53-
| --- | --- |
54-
| Role | Cosmos DB Built-in Data Contributor |
55-
| Assign access to | User, group, or service principal |
56-
| Members | \<Name of your Stream Analytics job> |
57-
58-
![Screenshot that shows Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
54+
```
5955

6056
> [!NOTE]
6157
> Due to global replication or caching latency, there may be a delay when permissions are revoked or granted. Changes should be reflected within 8 minutes.

0 commit comments

Comments
 (0)