An Azure Function locally using Visual Studio is not authorized to read a document from Cosmos using my credentials. However, I'm able to read and write documents using the Azure Portal. Now if I add the role to my principal, the function is allowed to run locally successfully. Why?
Forbidden (403); Reason: (Request blocked by Auth
cosmos-pocif-dev-wus2-1 : Request is blocked because principal
[4eaac860-308b-4a42-b70e-f727181e69d8] does not have required RBAC
permissions to perform action
[Microsoft.DocumentDB/databaseAccounts/readMetadata] on resource.
I found the recent reported issue in MS Q&A Azure Cosmos DB Tagged Forum with the same error while reading-from and writing the data to the Cosmos Database - #802755
but your source is Azure Functions and here the user's source is ADF.
ErrorMessage: Request blocked by AuthcosmosDB: Request is because principal [xyzx-abcd-xxx] does not have required RBAC permissions to perform action.
An MSFT User #PradeepCheekatla-MSFT provided the solution that because of insufficient RBAC permissions on [Microsoft.DocumentDB/databaseAccounts/readMetadata] and requires the Service principal level access and has given the process of resolving the issue is that service principal gets assigned with the Cosmos DB Data Roles such as Reader and Contributor.
Related
Our organization having an Azure Synapse Dedicated Pool instance. I am trying to register the Azure Synapse Dedicated Pool with Azure Purview and want to scan the Synapse DB. However, I am getting the following Error every time:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Following are the process I followed to Register the Data Source:
I opened “Purview Studio”
There I have created a “Collection”
Then I go to “Register Sources”
Then I search for “Azure Synapse Dedicated Pool”
Then I select the subscription where my Azure Synapse Dedicated Pool is present
Then I Registered my Data Source
Now I am trying to create a New Scan for my Synapse Dedicated Pool
The problem starts from here, First of all I selected the subscription, then I selected the resource group and then I selected the Synapse DB name. I tried two authentication methods to authenticate my Synapse Instance. First one is Purview MSI account and second one is SQL Authentication. I have added my Purview MSI account as a user in Synapse Dedicated pool using following command.
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
Now I tried to test the connection but it is not working and giving me following Error:
“Failed to access the Azure Dedicated SQL pool with Purview MSI account”
My Azure Synapse Dedicated Pool instance in not publically accessible, we have put it behind the private link. I can connect my Azure Synapse Instance using VPN connectivity on my machine and login through SSMS and Azure Data Studio.
I also tried with SQL authentication by using SQL username and Password which is kept under the keyvault. I have checked it multiple times and I am confident I have configured it correctly. But still when I try to test the connection. It is showing following error:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Some where I have read I need self-hosted-integration runtime if the Azure Synapse instance is behind private link.
So I installed integration runtime on my machine, configure it and tested for the Synapse connection with SQL Authentication by connecting to VPN. Self-Hosted IR configured successfully. I tested with both the IR. Azure IR and Self-hosted-IR. But no luck, I am getting the same error.
I have also added Purview MSI account to Access Policy in keyVault and provided GET, List permission on keys and Secrets.
However, I am not getting what I am missing here and why it is giving me the same error.
Any help on this is really means a lot me..
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
According to Microsoft official documentation, to execute the above command one must be Azure Synapse Administrator in the workspace. It is alsi required that your purview account name must have reader role set which can be done from Access Control (IAM) under the Azure Synapse Workspace resource.
To create SQL Pools, Apache Spark Pools and Integration Runtimes, users must have at least Azure Contributor role in the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you're- using Azure Portal or Synapse Studio to create SQL Pools, Apache Spark Pools and INtegration Runtimes, then you need Azure Contributor role at the resource group level.
To GRANT access to a Dedicated SQL Pool database, the scripts can be run by the workspace creator or any member of the workspace1_SynapseAdministrators group.
Follow the below steps in the Azure Synapse SQL script editor:
Create the USER in the database by running the following command on the target database, selected using the Connect to dropdown:
CREATE USER [<alias#domain.com>] FROM EXTERNAL PROVIDER;
Grant a user a role to access the database
EXEC sp_addrolemember 'db_owner', '<alias#domain.com>'
I have connected my azure account in Data Studio and I am using Azure SQL migration extension (v0.1.12) to migrate on-prem SQL to Azure Managed Instance.
However my subscription details are not getting fetched.
Screen Shot Attached Here
When I manually add Azure Subscription details I am getting following error
Manually Entered Details
And the error message Error
The issue seems to be more of access level issues.
Below are the type of access levels that you need to have for creating Azure Migrate Appliance project
Contributor or Owner permissions in the Azure subscription.
Permissions to register Azure Active Directory (Azure AD) apps.
Owner or Contributor and User Access Administrator permissions in the Azure subscription to create an instance of Azure Key Vault, which is used during agentless server migration.
Below are the steps to set contributor or Owner permissions
From Azure Subscriptions panel select the subscription
Move to Access Control IAM and select Add role Assignment
Assign the following roles.
For complete information check the Microsoft Document on providing access.
I am trying to create an ARM Template in Azure to build VM's and WebApps in prep for the AZ204 exam.
However, I am running into an issue in creating a template, from a downloaded json file.
The error I am getting is
The client 'Simon.Price#xxx' with object id 'f65d2b21-aa7e-4d5a-9ed3-xxxxx' does not have authorization to perform action 'Microsoft.Gallery/register/action' over scope '/providers/Microsoft.Gallery' or the scope is invalid. If access was recently granted, please refresh your credentials.
I have confirmed that in Azure AD that my account is an Global Administrator, with the description
Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
which implies I should be able to do this.
What permissions am I missing?
I am creating my first app function using powershell in the Azure portal, It's just to scale a SQLDB on I have tried to use this tutorial as a guide.
MSI example
I turned on MSI for the function and configured resources groups Giving the contributor role to the resource
When I run the function within the portal, I get the message doesn't have authorization to perform action. from this tutorial I believe this is all I had to do ? I have waited over a day to see if it's a timing issue, from the example I Have followed and this MS document managed identies for app service
I don't believe I need to add any secret key for this to work?
Function Error message
Setting the function MSI identity to on
Seeting the access control in
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.
I'm trying to create linked service to azure data lake analytics and it is showing the error like this
[{"code":9512,"message":"Failed to connect to ADLA account 'miniprojectanalytics'
with error 'The client '8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' with object id
'8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' does not have authorization to perform action
'Microsoft.Authorization/permissions/read' over scope '
subscriptions/8e9519a3-7b76-40fe-9b64-752ed2d0d4dc/resourceGroups/harigrp/providers/Microsoft.DataLakeAnalytics/accounts/miniprojectanalytics/providers/Microsoft.Authorization'.
Trace: 0941cde4-bff5-42b4-8186-1bd08f04944b Time: 2018-10-05T00:27:23.0661884-07:00'."}]
could anyone please assist me how to resolve this
I believe you need to give your service account access on the ADLA via the Add User Wizard.
From here
Service principal authentication
The Azure Data Lake Analytics linked service requires a service principal authentication to connect to the Azure Data Lake Analytics service. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to both the Data Lake Analytics and the Data Lake Store it uses. For detailed steps, see Service-to-service authentication. Make note of the following values, which you use to define the linked service:
Application ID
Application key
Tenant ID
Grant service principal permission to your Azure Data Lake Anatlyics using the Add User Wizard.