[Eng]: Cosmos API throwing unauthorized Error

[Ashwad1996]

Description

Context:

I am trying to call the Cosmos DB GET API from an Azure PowerShell task within an Azure DevOps (ADO) build pipeline. To authenticate, I opted for a service connection using Workload Identity Federation (WIF).

Steps Taken:

1. Created a service connection in Azure DevOps.
2. Using the service connection's issuer and subject, I created a Federated Identity Credential in the Managed Identity (MSI) that has the required permissions on the Cosmos DB account.
3. Executed a PowerShell script to call the GET REST API for Cosmos DB.

Issue:

I encountered the following error during execution:

{
  "code": "Unauthorized",
  "message": "Request blocked by Auth <cosmos db account>: Provided AAD token was issued by the authority [<Issuer of service connection>] which is not trusted by this database account. Please ensure the token has been issued by the AAD tenant(s) <TenantId of the cosmos db>."
}

This error occurs despite the MSI being in the same tenant as the Cosmos DB account.

Request for Help:

Resolution: What steps can I take to resolve this issue?
Alternate Approach: If this method isn’t feasible, is there an alternate approach for securely calling the Cosmos DB GET API from an ADO pipeline using Azure PowerShell?

Any guidance would be greatly appreciated!

[YanaXu]

Hi @Ashwad1996,

Could you provide the whole content for Azure PowerShell task?
I'd like to know how did you call the Cosmos DB GET API.

FYI, Azure PowerShell task will login with Azure PowerShell (with your provided Azure service connection). So, if you use any Azure PowerShell cmdlets, you don't need to run Connect-AzAccount manually. But if you use other tools to call REST API directly, it's another thing. For example, if you use Invoke-RestMethod, you need to provide authorization in the request header. In that case, we suggest you to use Invoke-AzRestMethod instead.

[microsoft-github-policy-service]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!