unble to send logs to long analytics workspace from Automation Runbooks

D Mallikarjuna Reddy 96 Reputation points

I am trying to write the logs back to custom table in Log Analytics Workspace-Azure using Automation Runbooks and getting the below error. SPN has contributor access though

HTTP Status Code: Forbidden
Error Message: The client 'xxxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' over scope '/subscriptions/xxxxx/resourcegroups/crdopssbx-Mallik-Test/providers/Microsoft.OperationalInsights/workspaces/Test-ResourceChanges' or the scope is invalid. If access was recently granted, please refresh your credentials.
Request Id: xxxxxx
Timestamp (Utc):11/17/2022 07:15:40
The remote server returned an error: (403) Forbidden.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,014 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
716 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,190 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alistair Ross 7,106 Reputation points Microsoft Employee

    Hello @D Mallikarjuna Reddy

    When calling Azure or any other application from a runbook, you need to ensure that it has an identity which has sufficient permissions to perform the required operations. In this case you are trying to perform the action "Microsoft.OperationalInsights/workspaces/sharedKeys/read" which is include in the built in roles:

    The recommended identity to use for your runbook is a managed identity. This gives your automation account an identity which you can assign permission to, without the need to managed secrets or credentials.

    Once you've set up the identity and assigned the permissions, then create your runbook, but ensure that it connects using the managed identity within the script and you will be good to go. https://learn.microsoft.com/en-us/azure/automation/learn/powershell-runbook-managed-identity

    I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

    Kind regards


0 additional answers

Sort by: Most helpful