CreateClientEncryptionKeyAsync, RewrapClientEncryptionKeyAsync ( Microsoft.Azure.Cosmos.Encryption) cannot be performed with CosmosClient using RBAC #5546
Description
Describe the bug
As described in this article https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet#cmk-rotation, we would like to rotate CMK regularly. We have implemented a piece of code that allows key rotation using the method RewrapClientEncryptionKeyAsync. But it doesn't work as well as CreateClientEncryptionKeyAsync when we use the CosmosClient with RBAC.
When using a CosmosClient with authentication via a connection string with an account key (AccountEndpoint=;AccountKey=), everything works fine, but we do not use key-based authentication for our projects.
FYI
Operations in Microsoft.Azure.Cosmos related to creating a container and database in an CosmosDb account also do not work, but they can be replaced with the same operations from another management library - Azure.ResourceManager.CosmosDB (as advised in this issue #5014, but I'm not sure about creating a container with encryption policy, because we use WithClientEncryptionPolicy extension of ContainerBuilder).
But as far as I understand, after studying the Azure.ResourceManager.CosmosDB in detail, we cannot create a client encryption key or rewrap it with its new version using this library.
RBAC is configured in accordance with this article https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-connect-role-based-access-control?pivots=azure-cli. That is, a built-in role [Cosmos DB Operator, DocumentDB Account Contributor] has been added to the Function App that makes calls to CosmosDb account. We also tried a custom role with permissions “Microsoft.DocumentDb/*”, which definitely includes the one we need, “Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKeys (/write and /read and /operationResults/read)”.
To Reproduce
- RBAC is configured between Function App and Azure Cosmos DB for NoSQL.
- You already have a container and a database with one encryption key. That means that the "Key Vault Crypto Service Encryption User" role to the default identity is assigned.
Initially, the very first our key was created when we used the CosmosClient with key-based authentication, but now calling this method with CosmosClient and RBAC also causes the same error as RewrapClientEncryptionKeyAsync method.
await database.CreateClientEncryptionKeyAsync(
"encryption-key-name",
DataEncryptionAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
KeyEncryptionKeyResolverName.AzureKeyVault,
"akvKey",
"https://<my-key-vault>.vault.azure.net/keys/<new-key>/<version>",
EncryptionAlgorithm.RsaOaep.ToString()));
- Run this code to reproduce
var tokenCredential = new DefaultAzureCredential();
var keyResolver = new KeyResolver(tokenCredential);
var cosmosClient = new CosmosClient("https://cosmos-db-name.documents.azure.com:443/", new DefaultAzureCredential(), cosmosClientOptions)
.WithEncryption(keyResolver, KeyEncryptionKeyResolverName.AzureKeyVault);
var database = cosmosClient.GetDatabase("cosmos-db-name");
await database.CreateClientEncryptionKeyAsync(
"encryption-key-name",
DataEncryptionAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(
KeyEncryptionKeyResolverName.AzureKeyVault,
"akvKey",
"https://<my-key-vault>.vault.azure.net/keys/<new-key>/<version>",
EncryptionAlgorithm.RsaOaep.ToString()));
Expected behavior
CreateClientEncryptionKeyAsync and RewrapClientEncryptionKeyAsync operations are performed without errors when using the CosmosClient with RBAC.
I read the response in another issue I mentioned earlier that this support is planned, but that was in February, and soon it will be a year. Can someone tell me the ETA for this?
Actual behavior
CosmosException occurs with message: Response status code does not indicate success: Forbidden (403); Substatus: 5300; Reason: (Request blocked by Auth cosno-panservice-dev-001 : The given request [PUT /dbs/cosmos-db-account-name/clientencryptionkeys/encryption-key-name] cannot be authorized by AAD token in data plane.
Environment summary
Microsoft.Azure.Cosmos: 3.56.0
Microsoft.Azure.Cosmos.Encryption: 2.0.5
OS Version: Windows 11
Additional context
Full Message:
Response status code does not indicate success: Forbidden (403); Substatus: 5300; ActivityId: 786b9958-3aff-4f7a-bc51-c87sd77f8nne; Reason: (Request blocked by Auth cosno-panservice-dev-001 : The given request [PUT /dbs/cosmos-db-account-name/clientencryptionkeys/encryption-key-name] cannot be authorized by AAD token in data plane. Learn more: https://aka.ms/cosmos-native-rbac.
ActivityId: 786b9958-3aff-4f7a-bc51-c87sd77f8nne, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Cosmos.Tracing.TraceData.ClientSideRequestStatisticsTraceDatum, Windows/10.0.26200 cosmos-netstandard-sdk/3.41.0);
Stack Trace:
at Microsoft.Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayStoreClient.InvokeAsync(DocumentServiceRequest request, ResourceType resourceType, Uri physicalAddress, CancellationToken cancellationToken)
at Microsoft.Azure.Cosmos.GatewayStoreModel.ProcessMessageAsync(DocumentServiceRequest request, CancellationToken cancellationToken)
at Microsoft.Azure.Cosmos.GatewayStoreModel.ProcessMessageAsync(DocumentServiceRequest request, CancellationToken cancellationToken)
at Microsoft.Azure.Cosmos.Handlers.TransportHandler.ProcessMessageAsync(RequestMessage request, CancellationToken cancellationToken)
at Microsoft.Azure.Cosmos.Handlers.TransportHandler.SendAsync(RequestMessage request, CancellationToken cancellationToken)