Create new role (cosmos db has their own roles)

This have full access:

New-AzCosmosDBSqlRoleDefinition -AccountName aircontdb -ResourceGroupName aircontfullstack -Type CustomRole -RoleName MyReadWriteRole -DataAction @( 'Microsoft.DocumentDB/databaseAccounts/readMetadata', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*', 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*') -AssignableScope "/"

For development (Using powershell):
Find your object Id:

Portal Azure->Microsoft Entra->Admin->Users (MyUser)->Properties->Id Object

export variables:

$resourceGroupName = "aircontfullstack"

$accountName = "aircontdb"

$readOnlyRoleDefinitionId = "/subscriptions/028c155e-3493-4da4-b50e-309b4cd1aaca/resourceGroups/aircontfullstack/providers/Microsoft.DocumentDB/databaseAccounts/aircontdb/sqlRoleDefinitions/6514e4c8-eef0-46bc-a696-d2557742edd0" # as fetched above

# For Service Principals make sure to use the Object ID as found in the Enterprise applications section of the Azure Active Directory portal blade.

$principalId = "your-obj-id"

Assign the created role to your ObjectID:
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName -ResourceGroupName $resourceGroupName -RoleDefinitionId $readOnlyRoleDefinitionId -Scope "/" -PrincipalId $principalId

For producton (Using powershell):
Set up roles managed by system
Only change your PrincipalId using your identity id object.