1# Cosmos DB Recipe
2 
3Cosmos DB change feed trigger with managed identity authentication.
4 
5## Template Selection
6 
7Resource filter: `cosmos`  
8Discover templates via MCP or CDN manifest where `resource == "cosmos"` and `language` matches user request.
9 
10## Troubleshooting
11 
12### "Forbidden" on Data Operations
13 
14**Cause:** Cosmos DB uses **two separate RBAC systems** — Azure RBAC (control plane) and Cosmos SQL RBAC via `sqlRoleAssignments` (data plane). The MCP template configures both, but if the SQL role assignment is missing, data reads/writes will fail even if Azure RBAC is correctly assigned.
15 
16**Solution:** Verify the `sqlRoleAssignments` resource exists in the Bicep/Terraform output. Check the function app has the `Cosmos DB Built-in Data Contributor` SQL role.
17 
18### UAMI Connection Issues
19 
20**Cause:** Missing managed identity credential settings.  
21**Solution:** Ensure all three settings are present in app configuration:
22 
23- `COSMOS_CONNECTION__accountEndpoint`
24- `COSMOS_CONNECTION__credential` (value: `managedidentity`)
25- `COSMOS_CONNECTION__clientId`
26 
27See [Cosmos DB trigger connections](https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-cosmosdb-v2-trigger#connections) for identity-based config — refer to the **"Connections"** section on that page for managed identity app settings.
28 
29## Eval
30 
31| Path | Description |
32|------|-------------|
33| [eval/summary.md](eval/summary.md) | Evaluation summary |
34| [eval/python.md](eval/python.md) | Python evaluation results |
35| [eval/typescript.md](eval/typescript.md) | TypeScript evaluation results |
36