How can I view CosmosDB connection string keys in the Azure portal?

When the Keys (connection strings) are greyed out in the Cosmos DB Azure portal, it usually means that the account doesn't have sufficient permissions to view or regenerate them. In Azure Cosmos DB, the ability to list keys is controlled by the permission "Microsoft.DocumentDB/databaseAccounts/listKeys/action". This permission is typically granted with roles such as Owner or Contributor.

What to check/do:

• Verify the Role Assignment:
  Ensure that the user account is not assigned a role with read-only permission (like the built-in Reader role), as this role does not include the permission to list the keys.

• Assign the Correct Role:
  If the account only has read access, ask your subscription or resource group administrator to assign a role that includes the necessary permission. Typically, using the Owner or Contributor roles will resolve the issue. Alternatively, a custom role that includes "Microsoft.DocumentDB/databaseAccounts/listKeys/action" can be created and assigned.

Example using Azure CLI:

If you need to assign a role via the Azure CLI, for instance, the Contributor role, you can use a command like this:

BASHCopied
# Replace with your subscription, resource group and account details
az role assignment create \
  --assignee <user-object-id> \
  --role "Contributor" \
  --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmosdb-account-name>

After the correct permissions are in place, refresh the Azure portal, and the keys should become visible.

Let me know if you need additional details!