Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Azure Data Tables rejects Microsoft Entra authentication using Azure Cosmos DB for Table #47332

Open
PeterButzelaar opened this issue Nov 26, 2024 · 2 comments
Open

[BUG] Azure Data Tables rejects Microsoft Entra authentication using Azure Cosmos DB for Table #47332

PeterButzelaar opened this issue Nov 26, 2024 · 2 comments
Assignees
@christothes
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Tables

Comments

@PeterButzelaar
Copy link

PeterButzelaar commented Nov 26, 2024
edited
Loading

Library name and version

Azure.Data.Tables 12.9.1

Describe the bug

Note: this bug also existed for the Python package, but was resolved a few weeks ago.

You cannot use the Azure.Data.Tables package to authenticate to Azure Cosmos DB for Table using Managed Identity / RBAC against Entra.

Expected behavior

Using managed identity, I should be able to communicate with a CosmosDb table in Azure.

The following line of code should work without exception:

var tableServiceClient = new TableServiceClient(new Uri("https://mycosmosdb.table.cosmos.azure.com"), new DefaultAzureCredential());
var tableClient = tableServiceClient.GetTableClient("myTable");
await tableClient.GetEntityAsync<MyTableEntity>("pk", "rk");

Actual behavior

When using code the block, you will get a 401 odata error:

"odata.error":{"code":"Unauthorized","message":{"lang":"en-us","value":"Request blocked by Auth Provided AAD token is intended for [https://storage.azure.com]. This database account accepts tokens intended for [https://mycosmosdb.documents.azure.com, https://mycosmosdb.sql.cosmos.azure.com, https://mycosmosdbsqlx.cosmos.azure.com, https://cosmos.azure.com].\r\nActivityId: 885e33b1-cfea-4348-8371-dea70889b0ae, documentdb-dotnet-sdk/2.14.0 Host/64-bit MicrosoftWindowsNT/10.0.20348.0\nRequestID:885e33b1-cfea-4348-8371-dea70889b0ae\n"}}}

Workaround

The current workaround for me is to use this tokenprovider specifically for Cosmos:

class CosmosDbDefaultAzureCredential : DefaultAzureCredential
{
    public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken = new CancellationToken())
    {
        requestContext.Scopes[0] = "https://cosmos.azure.com/.default";
        return base.GetToken(requestContext, cancellationToken);
    }
}

Reproduction Steps

Prerequisite: the user has role Cosmos DB Built-in Data Contributor on the CosmosDb account. Role id = 00000000-0000-0000-0000-000000000002

Following code block should execute correctly.

var tableServiceClient = new TableServiceClient(new Uri("https://mycosmosdb.table.cosmos.azure.com"), new DefaultAzureCredential());
var tableClient = tableServiceClient.GetTableClient("myTable");
await tableClient.GetEntityAsync<MyTableEntity>("pk", "rk");

Environment

Ubuntu 24.04
.NET version 8.0.110

Jetbrains Rider 2024.3
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Tables labels Nov 26, 2024
@github-actions GitHub Actions
Copy link

@christothes @JonathanCrd

@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christothes christothes

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Tables
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PeterButzelaar @christothes