Azure RBAC application-insights-component-contributor vs monitoring-contributor - azure

I am trying to understand the overlap between two of those roles in Azure RBAC. Looks like monitor-contributor completely covers application-insights-component-contributor besides "Microsoft.Resources/deployments/*". Considering the following situation whether I am deploying web availability tests into AppInsights resource and the deployment identity is service principal which was already granted monitor-contributor permissions. Should I grant this identity also 'application-insights-component-contributor' to be able to create those resources or 'monitor contributor' is good enough?
1 Edit
I am also deploying alert rules along with the tests and those rules implemented as rm template, if SP was granted monitoring-contributor only it's fails with
Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."

No need to give the Application Insights Component Contributor role, Monitoring Contributor role is enough. When you deploying the web availability tests, you just need the Microsoft.Insights/webtests/* action permission, it is already included in Monitoring Contributor.

Related

AuthorizationFailed for unknown principal

I'm deploying an ARM template within an Azure Devops release pipeline. Amongst others, the ARM template looks up the connection string of an existing AppConfiguration instance and outputs it for use in a next step where I set the configuration of a resource.
This has worked fine for the first couple of releases. Since this week however I'm getting the following error:
AuthorizationFailed: The client 'adb4-etc' with object id 'adb4-etc' does not have authorization to perform action 'Microsoft.AppConfiguration/configurationStores/listKeys/action' over scope '/subscriptions/{guid}/resourcegroups/{rgname}/providers/Microsoft.AppConfiguration/configurationStores/{appConfigname}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Just to be sure the problem isn't with the ARM template, I deployed it in the Azure portal using 'Deploy a custom template' and it worked fine, outputting the connection string to the AppConfiguration. However there it used my personal user account for authentication, of course.
The pipeline uses a service connection that is connected to a principal that does not have the client ID starting with adb4, and there is no principal (user, app registration, enterprise application) in our Azure AD that even starts with adb4. So in that sense the error is correct, but why is Azure Devops authenticating with this unknown principal?
The service connection principal has the Contributor role on the applicable AppConfiguration instance. This access was granted weeks ago.

How to authorize Azure Logic App connector to ACI in separate resource group

I'm trying to create an Azure Logic App that uses a connector to ACI to run a container group. I was able to get it running correctly by creating a connector in the Logic App designer in the Azure Portal. However, the designer currently only supports connectors in the same resource group as the logic app. I would like to use a single connector for logic apps in multiple resource groups, so I need to use a connector from a different resource group. Logic Apps appear to support this just fine as long as you edit the code directly instead of using the visual designer. I am able to create the connector just fine, and the app is able to connect to it, however I am not able to authorize the connector properly. When I go to the connector and attempt to authorize it, the process works fine and it says that it is connected. However, when I then try to run the Logic App, I get the following error:
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/YYY/'. It must match the tenant 'https://sts.windows.net/XXX/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/XXX' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
XXX and YYY are two different tenant-ids. However, XXX is the tenant ID I get when I run az account show on my machine and in the Azure Cloud Shell. I only have one tenant ID and one subscription. I don't know where the other tenant ID is coming from, or how it is being used to authorize the connector when I am using the same login that is tenant ID XXX.
Is there any way I can successfully authorize the connector with my tenant ID?

Can't delete Kubernetes Service - Azure

Didn't provision properly. In a provisioning state of failed. I get the followoing when trying to delete from portal/Azure CLI:
Failed to delete container service 'GTK8s'. Error: 'autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationToken" Message="The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant."'
I can't see a service principal relating to this application in Azure AD.
Deleting the resource group worked for me. Thx for the suggestion #4c74356b41

Cannot create Hybrid Connection in Azure Portal

We are trying to set up a Hybrid Connection from an App Service and the Azure Portal behavior is quite odd. We have done this previously from another subscription; this subscription is part of a CSP (so we can't even try doing it from the old/classic portal).
Blade prompts us to create a new resource group even though the one it defaulted to already exists. (Like it can't populate existing resource groups?)
No locations are provided when navigating to the Location pane, there's a cutoff error message:
"There are no locations available. You may not h..."
We have "owner" role on the subscription.
his subscription is part of a CSA (so we can't even try doing it from the old/classic portal).
Do you mean CSP there, as in Cloud Solution Provider? If so, the resource provider Microsoft.BizTalkServices is not yet available in CSP.
Yes, the error message and how the UI flow is handled could use some improvement.
See this for more:
https://blogs.technet.microsoft.com/hybridcloudbp/2016/06/29/list-of-azure-services-in-csp/

How to get subscription id programmatically in a Azure Role?

I have this Worker Role which makes use of REST Management API (through https://github.com/Azure/azure-sdk-for-net), whose the most basic pre-requisite is the Subscription ID.
Is there a way to get the Subscription ID from a running (worker) role? E.g. say, through RoleEnvironment?
Sorry Gatis, there is no way to get this via any method provided by Azure*. You would need to pass this information into your role using something like the CSCFG configuration settings.
For a little more context - the subscription ID is only known at the RDFE layer. Once you are in the Fabric layer (ie. your running Worker Role) then there is no concept of a subscription ID. You can see http://blogs.msdn.com/b/kwill/archive/2011/05/05/windows-azure-role-architecture.aspx, process A and steps 1&2, for a little more info.
*If you are using AAD authentication for your Service Management API calls then you could get a list of all subscriptions for that AAD user using 'List Azure Subscriptions' - http://msdn.microsoft.com/en-us/library/azure/dn775050.aspx. With those subscriptions you could enumerate all cloud services and match the deployment ID to the deployment ID for your worker role.
Edit: Typo in first paragraph. Changed 'something like the Subscription ID' to 'something like the CSCFG configuration settings'.

Resources