unble to send logs to long analytics workspace from Automation Runbooks

Question

I am trying to write the logs back to custom table in Log Analytics Workspace-Azure using Automation Runbooks and getting the below error. SPN has contributor access though

Error:
HTTP Status Code: Forbidden
Error Message: The client 'xxxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' over scope '/subscriptions/xxxxx/resourcegroups/crdopssbx-Mallik-Test/providers/Microsoft.OperationalInsights/workspaces/Test-ResourceChanges' or the scope is invalid. If access was recently granted, please refresh your credentials.
Request Id: xxxxxx
Timestamp (Utc):11/17/2022 07:15:40
The remote server returned an error: (403) Forbidden.

Answer 1

Hello @D Mallikarjuna Reddy

When calling Azure or any other application from a runbook, you need to ensure that it has an identity which has sufficient permissions to perform the required operations. In this case you are trying to perform the action "Microsoft.OperationalInsights/workspaces/sharedKeys/read" which is include in the built in roles:

• Log Analytics Contributor
• Monitoring Contributor

The recommended identity to use for your runbook is a managed identity. This gives your automation account an identity which you can assign permission to, without the need to managed secrets or credentials.

Once you've set up the identity and assigned the permissions, then create your runbook, but ensure that it connects using the managed identity within the script and you will be good to go. https://learn.microsoft.com/en-us/azure/automation/learn/powershell-runbook-managed-identity

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair