Logic Apps managed identity deployed with DevOps bicep template gets error sending to Service Bus topic

Question

Logic Apps managed identity deployed with DevOps bicep template gets error sending to Service Bus topic

Callum Fraser 1

I've already created this on Stack Overflow but have been directed to create raise this here.

I'm creating a logic app with managed identity to send a message to service bus using bicep.

My main.bicep runs four modules in sequence (using DependsOn) to do the following.

Set up Service Bus with system-assigned identity and creating the target topic.
Create the API connection to the namespace endpoint
Create the Logic App with system assigned identity and referencing the Service Bus API connection, specifying the authentication as managed identity.
Assigning Service Bus Sender RBAC role to the topic.

Everything looks right when I view the deployment in the portal. However, I am encountering a 401 error in trying to send a message to the topic from the Logic App I have granted access to.

"status": 401, "message": "40100: Unauthorized : Unauthorized access for 'Send' operation on endpoint 'sb://[sb-name-redacted].servicebus.windows.net/[topic-name-redacted]'

Manually creating an API connection post-deployment via the logic app designer results in successful message delivery so I'm obviously doing something wrong.

It’s driving me absolutely crazy not being able to figure out where the issue is.

Below is the code from the modules being run. Can anyone help??

Service Bus module

//service bus  
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {  
  name: servicebus  
  location: location  
  sku: {  
    [removed for brevity]  
  }  
  identity: {  
    type: 'SystemAssigned'  
  }  
  properties: {  
    [removed for brevity]  
  }  
}  
  
  
    //topics  
    resource resource_topic_recurlywebhook 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' = {  
      parent: resource_servicebus  
      name: topic_[redacted]  
      location: location  
      properties: {  
        [removed for brevity]  
      }  
    }

API Connections module

resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {  
  name: connections_servicebus  
  location: location  
  kind: 'V1'  
  properties: {  
    api: {  
      id: connections_id_servicebus  
    }  
    displayName: connections_servicebus  
    parameterValueSet: {  
      name: 'managedIdentityAuth'  
      values: {  
        namespaceEndpoint:{  
          value: 'sb://${servicebus}.servicebus.windows.net'  
        }  
      }  
    }  
  }  
}

Logic Apps module

//api connections  
  
resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' existing = {  
  name: connections_servicebus  
}  
  
  
//logic apps  
resource resource_lapp_ae_[redacted] 'Microsoft.Logic/workflows@2019-05-01' = {  
  name: lapp_ae_[redacted]  
  location: location  
  identity: {  
    type: 'SystemAssigned'  
  }  
  properties: {  
    state: 'Enabled'  
    definition: {  
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'  
      contentVersion: '1.0.0.0'  
      parameters: {  
        '$connections': {  
          defaultValue: {  
          }  
          type: 'Object'  
        }  
      }  
      triggers: [removed for brevity]  
      actions: {  
        Response_200: [removed for brevity]  
        Response_500: [removed for brevity]  
        Send_message_to_[redacted]_topic: {  
          runAfter: {  
          }  
          type: 'ApiConnection'  
          inputs: {  
            body: {  
              ContentData: '@{base64(triggerBody())}'  
              CorrelationId: '@{guid()}'  
              Properties: '@triggerBody()'  
            }  
            host: {  
              connection: {  
                name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'  
              }  
            }  
            method: 'post'  
            path: '/@{encodeURIComponent(encodeURIComponent(\'[redacted]\'))}/messages'  
          }  
        }  
      }  
      outputs: {  
      }  
    }  
    parameters: {  
      '$connections': {  
        value: {  
          servicebus: {  
            connectionId: resource_connections_servicebus.id  
            connectionName: resource_connections_servicebus.name  
            connectionProperties: {  
              authentication: {  
                type: 'ManagedServiceIdentity'  
              }  
            }  
            id: connections_id_servicebus  
          }  
        }  
      }  
    }  
  }  
}  
  
///////////////////////////////// outputs ///////////////////////////////////////////////  
  
output principalid_lapp_ae_[redacted] string = resource_lapp_ae_[redacted].identity.principalId

Service Bus Role Assignment module

//define roles to assign  
var rbac_service_bus_data_sender = '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'  
  
  
//define apps to send to topics  
param topic_[redacted]_access_list array = [  
  principalid_lapp_ae_[redacted]  
]  
  
//////////////////////////// call resources to grant access to ////////////////////////////////  
  
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {  
   name: servicebus  
}  
  
  
  
resource resource_topic_[redacted] 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' existing = {  
  parent: resource_servicebus  
  name: topic_[redacted]  
}  
  
  
//////////////////////////// make role assignments ////////////////////////////////  
  
resource resource_topic_[redacted]_access_list 'Microsoft.Authorization/roleAssignments@2022-04-01'  = [for principalID in topic_[redacted]_access_list: {  
  scope: resource_topic_[redacted]  
  name: guid(resource_topic_[redacted].id, principalID, rbac_service_bus_data_sender)  
  properties: {  
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbac_service_bus_data_sender)  
    principalId: principalID  
    principalType: 'ServicePrincipal'  
  }  
}]

0 comments

1 answer

Your answer

Answer 1

Callum Fraser 1

I have been informed that managed identity authentication is not currently available for Logic App (Consumption) as I had configured it. It does however work with Logic App (Standard).

Mike Urnun 9,792 Reputation points Moderator

2022-10-14T00:49:55.537+00:00

Thanks for posting what the underlying issue was, @Callum Fraser ! If you encounter any issues again, feel free to post here and we'd be happy to help.
Ezequiel Cavalcante 1 Reputation point

2022-11-21T16:43:07.893+00:00

Hello, this only in arm/bicep right?
because in portal we can to configure without problem :(
Michael Cronqvist 26 Reputation points

2024-02-12T11:47:56.1766667+00:00

I don't think this has anything to do with Logic app Consumption/ServicePlan. We have it working occasionally with consumption. But sometimes we have the same issue as Callum. We can't figure out what is wrong and it drives us crazy.
Mike Urnun 9,792 Reputation points Moderator

2024-02-13T05:31:35.19+00:00

Hi @Michael Cronqvist - We can investigate. Could you open a new post with more details about your setup?
Michael Cronqvist 26 Reputation points

2024-02-13T09:19:58.9266667+00:00

Hi @Mike Urnun I have created a new post: https://learn.microsoft.com/en-us/answers/questions/1531189/after-deployment-logic-app-is-unauthorized-for-ser

Share via

Logic Apps managed identity deployed with DevOps bicep template gets error sending to Service Bus topic

1 answer

Your answer