Merge pull request #217677 from mattchenderson/func-cosmos-id

updating identity content for cosmos and functions connections table

Author: jborsecnik

articles/azure-functions/functions-reference.md

@@ -116,15 +116,22 @@ Identity-based connections are supported by the following components:
 
 | Connection source                                       | Plans supported | Learn more                                                                                                         |
 |---------------------------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------|
-| Azure Blob triggers and bindings               | All             | [Extension version 5.0.0 or later](./functions-bindings-storage-blob.md#install-extension)     |
-| Azure Queue triggers and bindings            | All             | [Extension version 5.0.0 or later](./functions-bindings-storage-queue.md#storage-extension-5x-and-higher)    |
-| Azure Event Hubs triggers and bindings     | All             | [Extension version 5.0.0 or later](./functions-bindings-event-hubs.md?tabs=extensionv5)    |
-| Azure Service Bus triggers and bindings       | All             | [Extension version 5.0.0 or later](./functions-bindings-service-bus.md)  |
-| Azure Cosmos DB triggers and bindings - Preview         | Elastic Premium | [Extension version 4.0.0-preview1 or later](.//functions-bindings-cosmosdb-v2.md?tabs=extensionv4) |
-| Azure Tables (when using Azure Storage) - Preview | All | [Azure Cosmos DB for Table extension](./functions-bindings-storage-table.md#table-api-extension) |
+| Azure Blob triggers and bindings               | All             | [Extension version 5.0.0 or later][blobv5]<br/>[Extension bundle 3.3.0 or later][blobv5]  |
+| Azure Queue triggers and bindings            | All             | [Extension version 5.0.0 or later][queuev5]<br/>[Extension bundle 3.3.0 or later][queuev5] |
+| Azure Event Hubs triggers and bindings     | All             | [Extension version 5.0.0 or later][eventhubv5]<br/>[Extension bundle 3.3.0 or later][eventhubv5]   |
+| Azure Service Bus triggers and bindings       | All             | [Extension version 5.0.0 or later][servicebusv5]<br/>[Extension bundle 3.3.0 or later][servicebusv5] |
+| Azure Cosmos DB triggers and bindings - Preview         | Elastic Premium | [Extension version 4.0.0-preview1 or later][cosmosv4]<br/> [Preview extension bundle 4.0.0 or later][cosmosv4]|
+| Azure Tables (when using Azure Storage) - Preview | All | [Azure Cosmos DB for Table extension](./functions-bindings-storage-table.md#table-api-extension)<br/>[Extension bundle 3.3.0 or later][tablesv1] |
 | Durable Functions storage provider (Azure Storage) - Preview | All | [Extension version 2.7.0 or later](https://github.com/Azure/azure-functions-durable-extension/releases/tag/v2.7.0) | 
 | Host-required storage ("AzureWebJobsStorage") - Preview | All             | [Connecting to host storage with an identity](#connecting-to-host-storage-with-an-identity-preview)                        |
 
+[blobv5]: ./functions-bindings-storage-blob.md#install-extension
+[queuev5]: ./functions-bindings-storage-queue.md#storage-extension-5x-and-higher
+[eventhubv5]: ./functions-bindings-event-hubs.md?tabs=extensionv5
+[servicebusv5]: ./functions-bindings-service-bus.md
+[cosmosv4]: ./functions-bindings-cosmosdb-v2.md?tabs=extensionv4
+[tablesv1]: ./functions-bindings-storage-table.md#table-api-extension
+
 [!INCLUDE [functions-identity-based-connections-configuration](../../includes/functions-identity-based-connections-configuration.md)]
 
 Choose a tab below to learn about permissions for each component:

includes/functions-cosmos-permissions.md

@@ -6,14 +6,18 @@ ms.date: 10/19/2021
 ms.author: mahender
 ---
 
-You will need to create a role assignment that provides access to your database account at runtime. Management roles like [Owner](../articles/role-based-access-control/built-in-roles.md#owner) are not sufficient. The following table shows built-in roles that are recommended when using the Azure Cosmos DB extension in normal operation. Your application may require additional permissions based on the code you write.
+Cosmos DB does not use Azure RBAC for data operations. Instead, it uses a [Cosmos DB built-in RBAC system] which is built on similar concepts. You will need to create a role assignment that provides access to your database account at runtime. Azure RBAC Management roles like [Owner](../articles/role-based-access-control/built-in-roles.md#owner) are not sufficient. The following table shows built-in roles that are recommended when using the Azure Cosmos DB extension in normal operation. Your application may require additional permissions based on the code you write.
 
-| Binding type   | Example built-in roles                |
-|----------------|---------------------------------------|
-| Trigger        | [Cosmos DB Built-in Data Contributor] |
-| Input binding  | [Cosmos DB Built-in Data Reader]      |
-| Output binding | [Cosmos DB Built-in Data Contributor] |
+| Binding type        | Example built-in roles<sup>1</sup>    |
+|---------------------|---------------------------------------|
+| Trigger<sup>2</sup> | [Cosmos DB Built-in Data Contributor] |
+| Input binding       | [Cosmos DB Built-in Data Reader]      |
+| Output binding      | [Cosmos DB Built-in Data Contributor] |
 
+<sup>1</sup> These roles cannot be used in an Azure RBAC role assignment. See the [Cosmos DB built-in RBAC system] documentation for details on how to assign these roles. 
 
+<sup>2</sup> When using identity, Cosmos DB treats container creation as a management operation. It is not available as a data-plane operation for the trigger. You will need to ensure that you create the containers needed by the trigger (including the lease container) before setting up your function.
+
+[Cosmos DB built-in RBAC system]: ../articles/cosmos-db/how-to-setup-rbac.md
 [Cosmos DB Built-in Data Reader]: ../articles/cosmos-db/how-to-setup-rbac.md#built-in-role-definitions
 [Cosmos DB Built-in Data Contributor]: ../articles/cosmos-db/how-to-setup-rbac.md#built-in-role-definitions

includes/functions-identity-based-connections-configuration.md

@@ -10,7 +10,7 @@ When hosted in the Azure Functions service, identity-based connections use a [ma
 
 #### Grant permission to the identity
 
-Whatever identity is being used must have permissions to perform the intended actions. You will need to [assign a role in Azure RBAC](../articles/role-based-access-control/role-assignments-steps.md), using either built-in or custom roles which provide those permissions.
+Whatever identity is being used must have permissions to perform the intended actions. For most Azure services, this means you need to [assign a role in Azure RBAC](../articles/role-based-access-control/role-assignments-steps.md), using either built-in or custom roles which provide those permissions.
 
 > [!IMPORTANT]
 > Some permissions might be exposed by the target service that are not necessary for all contexts. Where possible, adhere to the **principle of least privilege**, granting the identity only required privileges. For example, if the app only needs to be able to read from a data source, use a role that only has permission to read. It would be inappropriate to assign a role that also allows writing to that service, as this would be excessive permission for a read operation. Similarly, you would want to ensure the role assignment is scoped only over the resources that need to be read.