Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing permissions on Datacollection rules for Policy MI #815

Open
2 tasks done
sandorhofman opened this issue Jul 24, 2024 · 2 comments
Open
2 tasks done

Missing permissions on Datacollection rules for Policy MI #815

sandorhofman opened this issue Jul 24, 2024 · 2 comments
Assignees
@oZakari
Labels
Area: Policy 📝 Issues / PR's related to Policy

Comments

@sandorhofman
Copy link

What happened? Provide a clear and concise description of the bug, including deployment details.

I deployed ALZ-Bicep v0.18.0 with the default policy assignments. It created DCR's and a UMI in the management subscription. After deploying a VM in a Online subscription I get policy deployment errors.

The reason for this behaviour is that the DCR is in the platform management group while the policy assignment is on the landingzone management group. The managed identy from the landingzone group has no permissions for the datacollection rules in the management subscription. The same thing is happening for ChangeTracking and UMI assignments.

Please provide the correlation id associated with your error or bug.

c449650d-4e60-4919-a907-9db4811ac4a3

What was the expected outcome?

Creation of a DataCollectionRule Association between the Azure Monitor Agent and the DCR in the Management Subscription.

Relevant log output

The client 'app-id of policy MI' with object id '...' has permission to perform action 'Microsoft.Insights/dataCollectionRuleAssociations/write' on scope '/subscriptions/...onlinesubguid..../resourcegroups/vm-online/providers/Microsoft.Compute/virtualMachines/vm-online/providers/Microsoft.Insights/dataCollectionRuleAssociations/assoc-55mf2y3zlwzjc'; however, it does not have permission to perform action(s) 'Microsoft.Insights/dataCollectionRules/read' on the linked scope(s) '/subscriptions/...mgmt subscription.../resourceGroups/alz-mg-p-rg001/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)

Check previous GitHub issues

  • I have searched the issues for this item and found no duplicate

Code of Conduct

  • I agree to follow this project's Code of Conduct
@jtracey93
Copy link
Collaborator

tagging @arjenhuitema for awareness and oversight on all things AMA.

Is there something missing from an RBAC role assignment perspective in ALZ Bicep @arjenhuitema that @oZakari can add?

@oZakari oZakari added the Area: Policy 📝 Issues / PR's related to Policy label Jul 25, 2024
@arjenhuitema
Copy link

It looks like the Managed Identity of the policy assignments within the Landing Zone scope lacks Reader and Managed Identity Operator permissions on the Platform, which are necessary to access the DCRs and assign the UAMI. I’ve put together a table that shows which permissions are needed for each policy assignment and shared that with @oZakari

@oZakari oZakari self-assigned this Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oZakari oZakari

Labels
Area: Policy 📝 Issues / PR's related to Policy
Projects
Azure Landing Zones - Bicep - Public Roadmap
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arjenhuitema @oZakari @jtracey93 @sandorhofman