Is it possible to use a service principal to execute the az grafana backup command?

Question

I'm looking to automate the backup of AMG with the az grafana backup command. I get a permissions error when using a service principal but it is fine with a user with a grafana role. Is it possible to use a service principal to run this command?

Answer 1

Kev Leho, thank you for posting this question.

az grafana backup command can be used with Service principal as well - you just need to ensure that the permission required to perform this operation is assigned to this service principal. I performed a simple test and noticed the following error:

Message: The client 'CLIENT_ID' with object id 'OBJECT_ID' does not have authorization to perform action 'Microsoft.Dashboard/grafana/read' over scope '/subscriptions/RESOURCE_ID' or the scope is invalid. If access was recently granted, please refresh your credentials.

I reviewed the default Grafana roles available in AMG and they are listed here - Supported Grafana roles

However, none of these roles have the 'Microsoft.Dashboard/grafana/read' Action permission.

Therefore, I created a custom role by cloning "Grafana Viewer" role and also added 'Microsoft.Dashboard/grafana/read' action to this role. For other resource provider roles available, check Microsoft.Dashboard.

Assign your service principal to this new custom role. Once done, you would be able to run the backup command for AMG. If you are getting a different error (based on the resources you are exporting), you would have to add the action accordingly to this custom role.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.