Authorization fails for CosmosDB created over the portal

[christian-vorhemus]

Describe the bug
I cannot connect to my CosmosDB with the .NET SDK.

To Reproduce
I created a new CosmosDB resource over the portal with standard settings in West Europe.
Then, I run the following snippet:

DocumentClient client = new DocumentClient(new Uri("https://mycosmos.documents.azure.com:443/"), "gH9iZ5Zkr22DT0[...]r8xYnyQTMG69jKlc==");
Database database = await client.CreateDatabaseAsync(new Database { Id = "newdatabase" });

Second line throws an exception (see below).

Expected behavior
A database should be created without errors.

Actual behavior
The exception "Unable to proceed with the request. Please check the authorization claims to ensure the required permissions to process the request" is thrown. (Note: This happens with all methods (CreateDocumentQuery, DeleteDocumentAsync, etc.)

Environment summary
SDK Version: Microsoft.Azure.DocumentDB.Core 2.2.1
OS Version: Windows 10.0.17763.253

Additional context
Potentially, this is not a bug of the .NET SDK itself. I noticed, when I create a new CosmosDB resource with the Azure CLI...

az cosmosdb create --name "mycosmos" -g "mygroup"

...everything works.

[mbhaskar]

@christian-vorhemus Thanks for your query. To get the created CosmosDB resource over the portal working, you can go to "Firewall and virtual networks" and check "Allow access from" to "All networks". Let us know if this works.

[christian-vorhemus]

Indeed, this was the issue!
Is this new? Can't remember to set these settings when creating CosmosDBs some month ago.

Thanks for the clarification, can be closed!

[sarah026]

We have the same problem, we can't access cosmos DB from the portal, although we have "Allow access from Azure Portal" already selected. I've whitelisted Germany's IP address (51.4.229.218) since its missing from the default IPs added when this checkbox is selected. But still that's failing.

We only need access from our VNet and therefore selecting "Allow access from All networks" is not an option.

How do we proceed? In fact, why is this failing?

{"description":"Unable to proceed with the request. Please check the authorization claims to ensure the required permissions to process the request.\r\nActivityId: 48169ef17, Microsoft.Azure.Documents.Common/2.4.0.0","code":403,"body":{"code":"Forbidden","message":"Unable to proceed with the request. Please check the authorization claims to ensure the required permissions to process the request.\r\nActivityId: 483ca29ef17, Microsoft.Azure.Documents.Common/2.4.0.0"},"headers":{"content-type":"application/json","content-location":"":0},

[juergen0815]

Same error. This happens right after CreateContainerIfNotExistsAsync() and I try to container.UpsertItemAsync() a document:
Error importing record CurrencyCode id a84abd98-21be-4c21-8425-2f485590074e: One or more errors occurred. (Response status code does not indicate success: 403 Substatus: 0 Reason: (Message: {"Errors":["Request is blocked. Please check your authorization token and Cosmos DB account firewall settings."]}ActivityId: a62906e2-b1bc-46dd-a54d-6d3820d2c267, Request URI: /apps/ab87653d-058f-4c01-8190-8fe4cf93246c/services/8713a2ae-7b42-4342-9990-9e01358d740f/partitions/8a6ce653-48ee-4c61-9bb1-7893c2b48d8b/replicas/132231198031646050p/, RequestStats: RequestStartTime: 2020-01-10T17:15:58.9855161Z, RequestEndTime: 2020-01-10T17:15:59.4045831Z, Number of regions attempted:1ResponseTime: 2020-01-10T17:15:59.4045831Z, StoreResult: StorePhysicalAddress: rntbd://cdb-ms-prod-westus1-fd36.documents.azure.com:14062/apps/ab87653d-058f-4c01-8190-8fe4cf93246c/services/8713a2ae-7b42-4342-9990-9e01358d740f/partitions/8a6ce653-48ee-4c61-9bb1-7893c2b48d8b/replicas/132231198031646050p/, LSN: 1, GlobalCommittedLsn: 1, PartitionKeyRangeId: , IsValid: True, StatusCode: 403, SubStatusCode: 0, RequestCharge: 0, ItemLSN: -1, SessionToken: -1#1, UsingLocalLSN: False, TransportException: null, ResourceType: Document, OperationType: UpsertAddressResolution - StartTime: 2020-01-10T17:15:59.0920780Z, EndTime: 2020-01-10T17:15:59.1180622Z, TargetEndpoint: https://us1-db-cosmos-dev-westus.documents.azure.com//addresses/?$resolveFor=dbs%2fhXhJAA%3d%3d%2fcolls%2fhXhJAN5s1KY%3d%2fdocs&$filter=protocol eq rntbd&$partitionKeyRangeIds=0, SDK: Windows/10.0.18362 cosmos-netstandard-sdk/3.4.1).)

Works fine after a while. Is there a timeout after creating a container until I can insert records? Can I query that container? Firewall and all is configured correctly and it does work after a while.

[shayanc]

I had the same issue. Whitelisted my IP and also tried changing to "Allow access from All networks". Turns out, there is some form of a timeout/delay until the changes are propagated. I had to wait like 15 minutes for my changes to take effect.