I have been trying to create an event grid subscription to an Event Grid Trigger function which is created to capture Blob storage events, using ARM templates. I successfully create the function app resource first, then try to create the event grid subscription on the created function app, but it fails with the following error:
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "Url validation",
"message": "The attempt to validate the provided endpoint https://myfunction.azurewebsites.net/runtime/webhooks/eventgrid failed. For more details, visit https://aka.ms/esvalidation."
}
]
}
Here I have used webhook URL as the endpoint. I've come to know that there is a validation call that goes back to the function app to verify its existence.
My question is, do we need to publish the Event Grid Trigger function to the function app before trying to create an event grid subscription for that?
P.S. I have also tried the same order with AzureFunction as the endpoint type (2020-01-01 version), but it still failed to create the subscription.
Based on the validation details described here:
At the time of event subscription creation/update, Event Grid posts a subscription validation event to the target endpoint
as a workaround, you can use a dummy (nop operation) subscriber handler endpoint for creating your subscription and then update a webhook endpoint with your real subscriber handler endpoint.
Related
I have a function app with a function that sends message to event grid. A function in this same function app is subscribed to this event grid topic. I get unauthorized access to send message despite function app has set role based access for Event Grid Send.
I have set the function app Identity to System Assigned ON:
I also set the function app Assigned Role to Event Grid Sender at Subscription level (within which the event grid topic also sits):
The event grid sender role assigned is confirmed at IAM Role Assignments of the Event Grid Topic:
When I execute the function app to send data to event grid I get unauthorized error:
//Name of the endpoint of Event grid topic
string topicEndpoint = transformAlgoSendRMessage_TopicEP;
//Creating client to publish events to eventgrid topic
EventGridPublisherClient client = new EventGridPublisherClient(new Uri(topicEndpoint), new DefaultAzureCredential());
//Creating a sample event with Subject, Eventtype, dataVersion and data
EventGridEvent egEvent = new EventGridEvent("TransformTelemetry", "TransformAlgorithm.broadcastTransform", "1.0", machinePartTransformTelemetry);
// Send the event
try
{
await client.SendEventAsync(egEvent);
if (b_debug_contractor)
log.LogInformation("SendRTransformMessage sent transformdata - PosX:" + machinePartTransformTelemetry[1]);
}
catch (Exception e)
{
log.LogError("Failed to send SendRTransformMessage. " + e.Message);
}
Unauthorized Error:
[2022-11-25T08:00:45.646Z] Failed to send SendRTransformMessage. The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/MySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/functionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.
[2022-11-25T08:00:45.646Z] Status: 401 (The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.)
[2022-11-25T08:00:45.647Z] ErrorCode: Unauthorized
[2022-11-25T08:00:45.647Z]
[2022-11-25T08:00:45.647Z] Content:
[2022-11-25T08:00:45.648Z] {
[2022-11-25T08:00:45.648Z] "error": {
[2022-11-25T08:00:45.649Z] "code": "Unauthorized",
[2022-11-25T08:00:45.649Z] "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.",
[2022-11-25T08:00:45.650Z] "details": [{
[2022-11-25T08:00:45.650Z] "code": "Unauthorized",
[2022-11-25T08:00:45.650Z] "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket."
I note I tried with key credentials but the Azure would not recognize the key.
I tried to reproduce the same in my environment and got below results
I created one function app and enabled system assigned identity as below:
Add role assignment to the Event grid like below: Go to Azure Portal -> Event grid Topics -> Your Topic -> Access control (IAM)
The error 401 Unauthorized may occur if you selected service principal instead of managed identity where 'Type' is App not Function App while assigning role like below:
To resolve the error, make sure to select Managed Identity as Function App while assigning role to Event grid like below:
Select Review+assign to assign the role as below:
Role EventGrid Data Sender got assigned successfully to the Event grid like below:
This will automatically reflect in the function app too and no need to assign this role separately to function app identity.
To confirm that, Go to Azure Portal -> Your Function App -> Identity -> Azure role assignments
Now restart the function app and execute the function again. If the issue still persists, raise a support ticket.
Reference:
Send Events To Event Grid Topic Using Managed Service Identity by Rittik Basu
I have a REST service hosted in Azure Web app. I registered a webhook on Azure Event Grid by pointing to REST service endpoint. I have followed below link and added endpoint validation with Event Grid events in REST service. I am able to register webhook successfully.
https://learn.microsoft.com/en-us/azure/event-grid/webhook-event-delivery
But I am facing issue(Not able subscribe webhook) if I configure any delivery properties in Event Grid like Authorization or content-type headers as shown below. Please refer below attachment for error details(Shown right side of pic) as well.
Event Grid subscription with webhook delivery properties failure
Could someone please help me on this.
Thanks in advance,
Ashok
First, we need to check how event delivery is authenticated with event handler.
Also, make sure that validation call is successful with event grid, Event grid supports two ways of validations.
Synchronous Validation
Asynchronous Validation
Subscription validation event example as below:
[
{
"id": "2d1781af-3a4c-4d7c-bd0c-e34b19da4e66",
"topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"subject": "",
"data": {
"validationCode": "512d38b6-c7b8-40c8-89fe-f46f9e9622b6",
"validationUrl": "https://rp-eastus2.eventgrid.azure.net:553/eventsubscriptions/myeventsub/validate?id=0000000000-0000-0000-0000-00000000000000&t=2021-09-01T20:30:54.4538837Z&apiVersion=2018-05-01-preview&token=1A1A1A1A"
},
"eventType": "Microsoft.EventGrid.SubscriptionValidationEvent",
"eventTime": "2021-00-01T22:12:19.4556811Z",
"metadataVersion": "1",
"dataVersion": "1"
}
]
Refer to Webhook event delivery from MS Docs
Also check this for troubleshooting validation issues
I'm trying to create an event grid subscription that will call a logic app every time a blob is created.
To protect the logic app http endpoint, I've enabled AAD Auth following this documentation:
Enable Azure AD OAuth for your logic app
I then configured eventgrid to attach an oauth token while calling the logic following this documentation:
Publish events to Azure Active Directory protected endpoints
While creating the subscription, I received this error:
Deployment has failed with the following error:
{
"code": "Url validation",
"message": "Webhook validation handshake failed for https://prod-07.australiaeast.logic.azure.com/workflows/5aade5e78ff84281baf17c0ab70a35d8/triggers/manual/paths/invoke. Http POST request failed with response code Unknown. For troublehooting, visit https://aka.ms/esvalidation. Activity id:4d430ada-82ee-43a6-8ad4-467f6de611d8, timestamp: 7/17/2021 12:44:13 AM (UTC)."
}
Using requestbin, I checked that the oauth token was attached (see associated requestbin)
I've also validate that the token was valid by calling the logic (from postman) using the token from requestbin.
I tired the same using a function app and it worked.
So I decided to try exposing the logic app behind API management service and it worked...
So I'm guessing Azure is doing something special with the internal logic app url: https://prod-07.australiaeast.logic.azure.com/workflows/5aade5e78ff84281baf17c0ab70a35d8/triggers/manual/paths/
Does anyone encounter the same issue and was able to work around that in a better way?
I am trying to set "advanced filter" of BlobEventsTrigger programmatically.
They are reset at each deployment. I need only 3 and having 7 of them are causing the job to start twice. It is super annoying to delete them manually after each deployment.
I have tried to add a field "advancedFilters" or "blobType" to the trigger json file without success.
"typeProperties": {
"blobPathBeginsWith": "/bingofile/blobs/",
"blobPathEndsWith": "/_SUCCESS",
"ignoreEmptyBlobs": false,
"scope": "/subscriptions/bingofilesup/resourceGroups/bingofilesup/providers/Microsoft.Storage/storageAccounts/bingofilesup",
"events": [
"Microsoft.Storage.BlobCreated"
]
I've also tried az eventgrid system-topic event-subscription update but this library does not work when it comes to updating advanced filter. It asks an endpoint (which is normally a facultative argument) , and when provided the existing data factory endpoint, it fails reaching it.
I have checked the documentation about this endpoint and it is said to be the webhook endpoint .
Endpoint where EventGrid should deliver events matching this event
subscription. For webhook endpoint type, this should be the
corresponding webhook URL. For other endpoint types, this should be
the Azure resource identifier of the endpoint. It is expected that the
destination endpoint to be already created and available for use
before executing any Event Grid command.
But it does not work .
Deployment failed. Correlation ID:
95e4fab5-163e-48ab-8cb2-b23432516e53. Webhook validation handshake
failed for [webwook end point provided in the topic]. Http POST
request failed with response code Unknown. For troublehooting, visit
https://aka.ms/esvalidation.
Any observation or suggestion would be great, thanks in advance !
According to my test, the endpoint https://pmeastasia.svc.datafactory.azure.com:4443/triggerevent/BlobEventsTrigger/<> is juts a base URL. When the events are sent to data factory or update subscription, azure will generate an endpoint with the base URL to do auth. So if you want to update the subscription with other tools, I think you need to use fildder to catch the request to get the whole endpoint at first.
by Httptrigger Azure function, if you send a POST request you receive something like this as a response:
{
"id": "66ee5d08196874aeb99c9e62ddc7b190",
"statusQueryGetUri": "https://asynchttpfunction.azurewebsites.net/runtime/webhooks/durabletask/instances/66ee5d08196945aeb44c9e62ddc7b190?taskHub=Orchestration&connection=Storage&code=FSVfJyGODSeKHPO0cM8Po9e1jMT7MghVMGuJqTaGTN56E1RUHnlVJg==",
"sendEventPostUri": "https://asynchttpfunction.azurewebsites.net/runtime/webhooks/durabletask/instances/66ee5d08196945aeb44c9e62ddc7b190/raiseEvent/{eventName}?taskHub=Orchestration&connection=Storage&code=FSVfJyGODSeKHPO0cM8Po9e1jMT7MghVMGuJqTaGTN56E1RUHnlVJg==",
"terminatePostUri": "https://asynchttpfunction.azurewebsites.net/runtime/webhooks/durabletask/instances/66ee5d08196945aeb44c9e62ddc7b190/terminate?reason={text}&taskHub=Orchestration&connection=Storage&code=FSVfJyGODSeKHPO0cM8Po9e1jMT7MghVMGuJqTaGTN56E1RUHnlVJg==",
"rewindPostUri": "https://asynchttpfunction.azurewebsites.net/runtime/webhooks/durabletask/instances/66ee5d08196945aeb44c9e62ddc7b190/rewind?reason={text}&taskHub=Orchestration&connection=Storage&code=FSVfJyGODSeKHPO0cM8Po9e1jMT7MghVMGuJqTaGTN56E1RUHnlVJg==",
"purgeHistoryDeleteUri": "https://asynchttpfunction.azurewebsites.net/runtime/webhooks/durabletask/instances/66ee5d08196945aeb44c9e62ddc7b190?taskHub=Orchestration&connection=Storage&code=FSVfJyGODSeKHPO0cM8Po9e1jMT7MghVMGuJqTaGTN56E1RUHnlVJg=="
}
The statusQueryGetUri provides information of the long running orchestration instance. If you follow this link you will receive a suitable runtimeStatus that describes the status of the orchestration instance along with some other useful information.here
My question is now:
actually we don't send a POST request to an Event grid Azure function trigger, Is there any way to get the status of the Azure function? Complete or is still running?
The Azure Event Grid is an eventing Pub/Sub model where the interest of source is distributed to the subscribed event handler endpoint or resource in the reliable manner with a retry policy and dead-lettering option. The AEG is waiting for delivery response processing max. 60 seconds.
There is no built-in the features what you are asking in the AEG, however you can use the REST API for metrics of the specific subscription to obtain its counters value:
MatchedEventCount,
DeliveryAttemptFailCount,
DeliverySuccessCount,
DroppedEventCount,
DeadLetteredCount
The following GET is an example for getting a subscription metrics:
https://management.azure.com/subscriptions/mysubId/resourceGroups/mygroup/providers/Microsoft.EventGrid/topics/mytester/providers/Microsoft.EventGrid/eventSubscriptions/mysubscription/providers/Microsoft.Insights/metrics?api-version=2018-01-01&interval=PT5M&metricnames=MatchedEventCount,DeliveryAttemptFailCount,DeliverySuccessCount,DroppedEventCount,DeadLetteredCount
Note, that the authorization header with a bearer token is required for this call.
More details about the monitoring an event message delivery can be found here.