| author | mattchenderson |
|---|---|
| ms.service | azure-functions |
| ms.topic | include |
| ms.date | 10/19/2021 |
| ms.author | mahender |
Cosmos DB does not use Azure RBAC for data operations. Instead, it uses a Cosmos DB built-in RBAC system which is built on similar concepts. You will need to create a role assignment that provides access to your database account at runtime. Azure RBAC Management roles like Owner are not sufficient. The following table shows built-in roles that are recommended when using the Azure Cosmos DB extension in normal operation. Your application may require additional permissions based on the code you write.
| Binding type | Example built-in roles1 |
|---|---|
| Trigger2 | Cosmos DB Built-in Data Contributor |
| Input binding | Cosmos DB Built-in Data Reader |
| Output binding | Cosmos DB Built-in Data Contributor |
1 These roles cannot be used in an Azure RBAC role assignment. See the Cosmos DB built-in RBAC system documentation for details on how to assign these roles.
2 When using identity, Cosmos DB treats container creation as a management operation. It is not available as a data-plane operation for the trigger. You will need to ensure that you create the containers needed by the trigger (including the lease container) before setting up your function.