Is it possible to create an Azure RBAC custom role that
- has permission to write a Cosmos DB container's indexing policy
- but is not allowed to create new containers?
It seems that the permission for writing the indexing policy is
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write
which is also sufficient for creating new containers (which is much more dangerous because it affects billing).
No, this is not supported today. Note that there can be a billing impact from changing indexing policy as well, for example if the container throughput is provisioned as auto-scale and the indexing policy is modified in such a way that certain queries no longer run efficiently, thereby increasing the normalized RU utilization on the container and therefore the bill.