Cosmos data plane RBAC aad authentication not working.

[obesser]

When signed in with a user that is only assigned a cosmos-db role as described here: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac, the extension fails to display the databases that are scoped in the role assignments.

It logs the following:
Error: The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.DocumentDB/databaseAccounts/listKeys/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

Shouldn't the extension fail back to aad authentication when the listKeys action is failing?

[JasonYeMSFT]

The extension doesn't support Azure AD authentication at the moment. We have been asked to work on the adoption of Azure AD which means it might be supported sometime in the future.

[mdanylyuk]

Hello guys,
Is there any news about this extension?

[JasonYeMSFT]

@mdanlyuk The authentication module is currently broken and the known workaround requires users to install Azure CLI separately and login from there issue. I need to discuss with some other people to see if it is an acceptable user experience.

[sevoku]

I think this is now fixed via #2290, if listKeys fails or localAuth is disabled we'll fall back to Entra ID and show an error if that fails as well with instructions and an option to add proper role assignment if you're allowed to.