[help] - Using the Default Azure Credential to authenticate to CosmosDB

[andrewschmidgit]

Hi!

I'm attempting to use the DefaultAzureCredential to authenticate to CosmosDB within an Azure function project. This is the error I am receiving when using the CosmosClient to perform a document patch ({cosmos-db-account-name} is the actual account name):

Multiple errors were encountered while attempting to authenticate:

environment credential - request token error - Server returned error response

IMDS timeout - operation timed out

az-cli - 'az account get-access-token' command failed: ERROR: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://{cosmos-db-account-name}.documents.azure.com offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>

Relevant Info

• I am signed in to the appropriate subscription with the az cli
• I have AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_SCOPE, and AZURE_CLIENT_SECRET set in my local.settings.json, and have confirmed my app has access to them
• Primary Key authentication works just fine

Cargo.toml

[dependencies]
azure_data_cosmos = { version = "0.19", default-features = false, features = ["enable_reqwest_rustls", "hmac_rust"] }
azure_identity = { version = "0.19", default-features = false, features = ["enable_reqwest_rustls"] }
...

CosmosClient setup:

fn get_cosmos_client(config: &CosmosSettings) -> Result<CosmosClient, Box<dyn Error>> {
    let credential = DefaultAzureCredentialBuilder::new().build();
    let token = AuthorizationToken::TokenCredential(Arc::new(credential));
    let client = CosmosClientBuilder::new(config.account_name.clone(), token).build();
    Ok(client)
}

Any help would be greatly appreciated, and I'm happy to provide more info as needed

[andrewschmidgit]

This may be related to #1584, at least when this error appears when the function app is deployed

[johnbatty]

I suspect that this may be related to a recent change to TokenCredential such that it now expects a list of scopes as a parameter rather than a resource.
#1493

I think that the fix may be to add a /.default suffix to the scope generated here:
https://github.com/Azure/azure-sdk-for-rust/blob/main/sdk/data_cosmos/src/authorization_policy.rs#L193

[devigned]

I'm running into the same issue. As @johnbatty has mentioned, it is a malformed scope for the cosmos client. You can see the correctly formatted .default scope in the Azure SDK for Go. You can also verify this by authenticating with the scope via Azure CLI using: az login --scope https://${YOUR_ACCOUNT_NAME}.documents.azure.com/.default.

The current scope being passed is https://${YOUR_ACCOUNT_NAME}.documents.azure.com, which responds with the aforementioned error.

Related: fermyon/spin#2566