Issues using built in role Cosmos DB Built-in Data Reader

[auslavs]

Describe the bug

When assigning the Cosmos DB Built-in Data Reader role with the scope at the container level, our ChangeFeedHandler fails.
There is no issue when the scope is changes to be at the database level.

The error we receive when assigning a scope of the container:

Microsoft.Azure.Cosmos.CosmosException :
Response status code does not indicate success: Forbidden (403); Substatus: 5301; 
Request is blocked because principal [<MyTenant>] does not have the required RBAC permissions to perform action [Microsoft.DocumentDB\/databaseAccounts\/readMetadata] with OperationType [2] and ResourceType [0] on resource [dbs\/<MyDatabase>]

• Is is expected that a changeFeedHandler looking at one particular container require permissions to read metadata of the database?
• Is there a way to restrict the scope to just the container?

To Reproduce
Assign the data read role with a scope of the container that the ChangeFeedHandler is watching.

Expected behavior
Have a ability to assign a data reader role to just a container.

Actual behavior
Provide a description of the actual behavior observed.
App service crashes with error described above.

Environment summary
SDK Version: 3.31.2
OS Version (e.g. Windows, Linux, MacOSX) AppService (Windows)

[ealsur]

The Change Feed Processor on the current released version, performs a Database Read operation to obtain certain information. This is expected and by design on the current released version.

#3566 removed this Database Read call to enabled a different scenario (Resource Tokens), so it would resolve this Issue once released.

[auslavs]

Thanks @ealsur! That is great news