[BUG] The provided data action string [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write] does not correspond to any valid SQL data action

[puneetpawaia]

Describe the bug
Unable to complete the installation as I get the following error
The provided data action string [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write] does not correspond to any valid SQL data action
Please note that I have Subscription Ownership and have also setup the RBAC permission as suggested in the documentation

To Reproduce
Steps to reproduce the behavior:

1. Download the main branch code
2. Create a dev container for this repository. I did this using Jetbrains Pycharm and Docker
3. Set the deployment paramers in the JSON file
4. Run the deployment as suggested in the documentation

Expected behavior
Successful installation

Screenshots
Permissions for my account on the subscription

Permissions for my account on the resource group

Error Message
{"code":"DeploymentFailed","target":"/subscriptions//resourceGroups/rg_graphrag/providers/Microsoft.Resources/deployments/aks-workload-identity-rbac-assignments","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"BadRequest","target":"/subscriptions//resourceGroups/rg_graphrag/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-sccgraphrag/sqlRoleDefinitions/","message":"The provided data action string [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write] does not correspond to any valid SQL data action.\r\nActivityId: , Microsoft.Azure.Documents.Common/2.14.0"}]}

Desktop (please complete the following information):

• OS: Windows 11
• Docker Container Dev

I have been trying to run the setup for almost a month now with no success. Any help would be most appreciated.

[masaleiro]

I confirm that I am also facing this issue. The only difference from my procedure is that I did not setup a dev container. But the error is the same

[naifla]

Is there any update? me facing the similar problem. And how to handle it ?
Do i need to delete all and recreate or just creating manual ?

[masaleiro]

By removing the line 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write' on the infra/core/rbac/workload-identity-rbac.bicep file I was able to make the setup continue.

It progressed to the point of checking for the graphrag API but then failed because the API was unnacessible. Maybe you can try the same thing and see if you can get further.

[ekenheim]

Just wanting to add, I'm also seeing this issue and it's halting my deployment.
@puneetpawaia did you manage to progress?

[RichardHallgren]

By removing the line 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write' on the infra/core/rbac/workload-identity-rbac.bicep file I was able to make the setup continue.

It progressed to the point of checking for the graphrag API but then failed because the API was unnacessible. Maybe you can try the same thing and see if you can get further.

I have the same issue with API being unaccessible. Haven't found a way around it yet either.

[RichardHallgren]

I checked the logs for the pod (graphrag-master) and it seems like there is an issue with creating the cosmos database after removing the line above (maybe not so surprising).

Message: Request blocked by Auth cosmos-fv...y : The given request [POST /dbs] cannot be authorized by AAD token in data plane. Learn more: https://aka.ms/cosmos-native-rbac.

[ekenheim]

Saw the same in the pod that is crashing.
Reviewed : https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/databases
To look at the write permission that seems to be the issue - also reviewed cosmosdb git repo to see if I could learn anything about the write permission but it does not seem to be used there https://github.com/AzureCosmosDB/cosmosdb-nosql-copilot/blob/5c9cd6d950f5223b5598fb288a14f35e1bb3a8c6/infra/app/security.bicep#L24-L26

I'm unsure how to proceed - tried granting the user permissions manually via the az CLI but didn't progress there

[RichardHallgren]

I managed to get it working by:

1. Remove 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write' on the infra/core/rbac/workload-identity-rbac.bicep file
2. In the GraphRAG API app main.py-file remove the intialize_cosmosdb_setup() (to prevent it from trying to create the CosmosDB database and containers.
3. Add the creation of the CosmosDB container and database to the biceps file for the CosmosDB:

`resource cosmosDbDatabase 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-11-15' = {
name: '${cosmosDb.name}/graphrag'
properties: {
resource: {
id: 'graphrag'
}
}
}

resource cosmosDbContainerJobs 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-11-15' = {
name: '${cosmosDbDatabase.name}/jobs'
properties: {
resource: {
id: 'jobs'
partitionKey: {
paths: ['/id']
kind: 'Hash'
}
}
options: {
throughput: 1000
}
}
}

resource cosmosDbContainerStore 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-11-15' = {
name: '${cosmosDbDatabase.name}/container-store'
properties: {
resource: {
id: 'container-store'
partitionKey: {
paths: ['/id']
kind: 'Hash'
}
}
options: {
throughput: 1000
}
}
}`

[ekenheim]

Great job @RichardHallgren - worked for me aswell

[naifla]

Great job @RichardHallgren . Thanks it works.

Still in the next command got some error related to default resource group not set .
For example :

Deploying docker image 'graphrag:backend' to container registry 'xxxx.azurecr.io'...
(ResourceGroupNotFound) Resource group 'mslearn' could not be found.
Code: ResourceGroupNotFound
Message: Resource group 'mslearn' could not be found.

Add this line after loading params and it will work

....
checkRequiredTools
populateParams $PARAMS_FILE

az configure --defaults group=$RESOURCE_GROUP
...

[smallangi]

Great job @RichardHallgren!!! . The instructions you provided worked for me too!!