I have Azure Log Analytics and Azure Application Insights. I want to set certain tables in my Log Analytics to "Basic Logs" because that is cheaper. First I want to just check the settings for these tables.
I am trying to follow this article: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-configure?tabs=api-2
The article tells me to get a bearer token by following this other article: https://social.technet.microsoft.com/wiki/contents/articles/51140.azure-rest-management-api-the-quickest-way-to-get-your-bearer-token.aspx
I extract a bearer token from the Azure Portal using the developer tools. It looks like this (a few hundred characters long): Bearer ey...A
.
I then try to do this in PowerShell:
$BearerToken = "Bearer ey...A"
$uri = "https://management.azure.com/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>/tables/<tableName>?api-version=2021-12-01-preview"
Invoke-WebRequest $uri -Headers @{Authorization = $BearerToken}
This gives me:
{"error":{"code":"InvalidAuthenticationToken","message":"The access token is invalid."}}
In my PowerShell session I am logged in as the same user as in the Portal (using az login
).
Might it be a rights issue? I have "Owner" and "Contributor" access to the Log Analytics workspace.
What do I need to do to get through the authentication? Do I need any further headers or options on my Invoke-WebRequest
call?
CodePudding user response:
The issue is probably because the audience of the token isn't set to management.azure.com
, the resource you want to have access to.
If you try out this command:
az account get-access-token --resource=https://management.azure.com --query accessToken --output tsv
You'll end up with a token which looks like this:
{
"aud": "https://management.azure.com",
"iss": "https://sts.windows.net/[guid]/",
"iat": 1646746056,
"nbf": 1646746056,
"exp": 1646750582,
"acr": "1",
"aio":
You can copy the complete token to jwt.io/jwt.ms to see the values of all claims.
This token is meant for the management API, so will probably work.
CodePudding user response:
I figured out what I was doing wrong. I was copying the token from Firefox's developer tools, but the token displayed was truncated with a …
character in the middle. That was just very difficult to spot.
The full token should be something like 5000 characters long.
In Firefox, in the place where Request Headers are displayed, select Raw and then right-click, select all and copy. That gives you the complete values.
Or use the command that Jan_V suggested in his answer:
az account get-access-token --resource=https://management.azure.com --query accessToken --output tsv