I am using an Event Grid connection along with a Logic App that triggers a runbook when certain conditions are met.
As a System Assigned Managed Identity everything worked well. I moved to a User Managed Identity and that is successful. However, it's only successful if I add the User Managed Identity as a Contributor in the Resource Group where the Logic App is created.
I have a need to crop the permissions down to what is actually required rather than have this managed identity with the 11k permissions that the Contributor role comes with.
How can I figure out what permissions I need to enable for this role to get the Logic app to trigger successfully?
Can I make use of the tracking ID to get further information as to what actually failed for the trigger? The Failed
message under the Trigger History
tab doesn't give a lot to go on.
CodePudding user response:
What you are probably looking for is the full list of the Azure Resource Operation Providers.
From there you can look for the Azure Logic App and see what operations are available. So most probably here you want Microsoft.Logic/workflows/triggers/run/action
and a couple of others.
From there, you can either try to map it with existing Azure built-in roles (maybe Logic App Operator ?) or you can even create your own custom role to ensure about a perfect least-privilege principle.
EDIT : If you went for a single-tenant Logic App (standard SKU), it is important to remember that the architecture is running onto Functions runtime, so it might also shares some operation providers with that one, like Microsoft.Web/sites/hostruntime/host/action
. In that case, Website Contributor should do the trick!
CodePudding user response:
Well, with no information in the Activity Log as recommended by @jul_DW it was a bit of a hard slog to find out the permissions required to get this logic app to work.
As this is a logic app fired by a user managed identity and tied to an event grid subscription I happened to start looking into those permissions, starting with the EventGrid Subscription Contributor
Role.
But boiled it down to a single missing permission in the end: Microsoft.EventGrid/eventSubscriptions/write
.
Plus, of course the Microsoft.Logic/workflows/triggers/run/action
permission is also required for the user managed identity.