Home > Software engineering >  Unauthorized error send message from function app to eventgrid with Role Based Access for Event Grid
Unauthorized error send message from function app to eventgrid with Role Based Access for Event Grid

Time:11-29

I have a function app with a function that sends message to event grid. A function in this same function app is subscribed to this event grid topic. I get unauthorized access to send message despite function app has set role based access for Event Grid Send.

I have set the function app Identity to System Assigned ON:

enter image description here

I also set the function app Assigned Role to Event Grid Sender at Subscription level (within which the event grid topic also sits):

enter image description here

The event grid sender role assigned is confirmed at IAM Role Assignments of the Event Grid Topic:

enter image description here

When I execute the function app to send data to event grid I get unauthorized error:

//Name of the endpoint of Event grid topic
        string topicEndpoint = transformAlgoSendRMessage_TopicEP;
        //Creating client to publish events to eventgrid topic
        EventGridPublisherClient client = new EventGridPublisherClient(new Uri(topicEndpoint), new DefaultAzureCredential());
        //Creating a sample event with Subject, Eventtype, dataVersion and data
        EventGridEvent egEvent = new EventGridEvent("TransformTelemetry", "TransformAlgorithm.broadcastTransform", "1.0", machinePartTransformTelemetry);
        // Send the event
        
        try
        {
            await client.SendEventAsync(egEvent);
            if (b_debug_contractor)
                log.LogInformation("SendRTransformMessage sent transformdata - PosX:"   machinePartTransformTelemetry[1]);
        }
        catch (Exception e)
        {
            log.LogError("Failed to send SendRTransformMessage. "   e.Message);
        }

Unauthorized Error:

[2022-11-25T08:00:45.646Z] Failed to send SendRTransformMessage. The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/MySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/functionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.
[2022-11-25T08:00:45.646Z] Status: 401 (The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.)
[2022-11-25T08:00:45.647Z] ErrorCode: Unauthorized
[2022-11-25T08:00:45.647Z]
[2022-11-25T08:00:45.647Z] Content:
[2022-11-25T08:00:45.648Z] {
[2022-11-25T08:00:45.648Z]     "error": {
[2022-11-25T08:00:45.649Z]         "code": "Unauthorized",
[2022-11-25T08:00:45.649Z]         "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.",
[2022-11-25T08:00:45.650Z]         "details": [{
[2022-11-25T08:00:45.650Z]             "code": "Unauthorized",
[2022-11-25T08:00:45.650Z]             "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket."

I note I tried with key credentials but the Azure would not recognize the key.

CodePudding user response:

I tried to reproduce the same in my environment and got below results

I created one function app and enabled system assigned identity as below:

enter image description here

Add role assignment to the Event grid like below: Go to Azure Portal -> Event grid Topics -> Your Topic -> Access control (IAM)

enter image description here

The error 401 Unauthorized may occur if you selected service principal instead of managed identity where 'Type' is App not Function App while assigning role like below:

enter image description here

To resolve the error, make sure to select Managed Identity as Function App while assigning role to Event grid like below:

enter image description here

Select Review assign to assign the role as below:

enter image description here

Role EventGrid Data Sender got assigned successfully to the Event grid like below:

enter image description here

This will automatically reflect in the function app too and no need to assign this role separately to function app identity.

To confirm that, Go to Azure Portal -> Your Function App -> Identity -> Azure role assignments

enter image description here

Now restart the function app and execute the function again. If the issue still persists, raise a support ticket.

Reference: Send Events To Event Grid Topic Using Managed Service Identity by Rittik Basu

Page link:https//www.codepudding.com/Softwareengineering/625643.html

Prev:Get-AzImageBuilderRunOutput doesn't exist
Next:Why is there no CUBRID dialect in Hibernate 6.x versions?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding