Unauthorized error send message from function app to eventgrid with Role Based Access for Event Grid Send

Question

Unauthorized error send message from function app to eventgrid with Role Based Access for Event Grid Send

Sergio Solorzano 26

I have a function app with a function that sends message to event grid. A function in this same function app is subscribed to this event grid topic. I get unauthorized access to send message despite function app has set role based access for Event Grid Send.

I have set the function app Identity to System Assigned ON:

I also set the function app Assigned Role to Event Grid Sender at Subscription level (within which the event grid topic also sits):

The event grid sender role assigned is confirmed at IAM Role Assignments of the Event Grid Topic:

When I execute the function app to send data to event grid I get unauthorized error:

//Name of the endpoint of Event grid topic  
        string topicEndpoint = transformAlgoSendRMessage_TopicEP;  
        //Creating client to publish events to eventgrid topic  
        EventGridPublisherClient client = new EventGridPublisherClient(new Uri(topicEndpoint), new DefaultAzureCredential());  
        //Creating a sample event with Subject, Eventtype, dataVersion and data  
        EventGridEvent egEvent = new EventGridEvent("TransformTelemetry", "TransformAlgorithm.broadcastTransform", "1.0", machinePartTransformTelemetry);  
        // Send the event  
          
        try  
        {  
            await client.SendEventAsync(egEvent);  
            if (b_debug_contractor)  
                log.LogInformation("SendRTransformMessage sent transformdata - PosX:" + machinePartTransformTelemetry[1]);  
        }  
        catch (Exception e)  
        {  
            log.LogError("Failed to send SendRTransformMessage. " + e.Message);  
        }

Unauthorized Error:

[2022-11-25T08:00:45.646Z] Failed to send SendRTransformMessage. The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/MySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/functionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.  
[2022-11-25T08:00:45.646Z] Status: 401 (The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.)  
[2022-11-25T08:00:45.647Z] ErrorCode: Unauthorized  
[2022-11-25T08:00:45.647Z]  
[2022-11-25T08:00:45.647Z] Content:  
[2022-11-25T08:00:45.648Z] {  
[2022-11-25T08:00:45.648Z]     "error": {  
[2022-11-25T08:00:45.649Z]         "code": "Unauthorized",  
[2022-11-25T08:00:45.649Z]         "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.",  
[2022-11-25T08:00:45.650Z]         "details": [{  
[2022-11-25T08:00:45.650Z]             "code": "Unauthorized",  
[2022-11-25T08:00:45.650Z]             "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket."

I note I also tried with Grid Event topic key but received exception Key 1 doesn't exist.

MayankBargali-MSFT 70,906 Reputation points Moderator

2022-11-25T11:18:55.12+00:00

@Sergio Solorzano The code looks good but, on the configuration, can you please reconfirm EventGrid Data Sender permission is configured for the same function app where you are sending the events to event grid topic. Please also confirm the value of transformAlgoSendRMessage_TopicEP and whether the topic endpoint name and URL is correct: https://<<your_topic_name>>.<<topic_region>>.eventgrid.azure.net/api/events
Sergio Solorzano 26 Reputation points

2022-11-25T14:07:53.58+00:00

Hi @MayankBargali-MSFT thank you for your post. Both the function that sends the data to the event grid and the function subscribed to EventGrid Topic are in the same function app, so yes both have EventGrid Data Sender permission.
I have confirmed on local.settings.json and by debugging that transformAlgoSendRMessage_TopicEP URL is correct.

1 answer

Your answer

MayankBargali-MSFT 70,906 Reputation points Moderator

2022-11-25T11:18:55.12+00:00

@Sergio Solorzano The code looks good but, on the configuration, can you please reconfirm EventGrid Data Sender permission is configured for the same function app where you are sending the events to event grid topic. Please also confirm the value of transformAlgoSendRMessage_TopicEP and whether the topic endpoint name and URL is correct: https://<<your_topic_name>>.<<topic_region>>.eventgrid.azure.net/api/events
Sergio Solorzano 26 Reputation points

2022-11-25T14:07:53.58+00:00

Hi @MayankBargali-MSFT thank you for your post. Both the function that sends the data to the event grid and the function subscribed to EventGrid Topic are in the same function app, so yes both have EventGrid Data Sender permission.
I have confirmed on local.settings.json and by debugging that transformAlgoSendRMessage_TopicEP URL is correct.

Answer 1

Sergio Solorzano 26

In case it helps anyone, this was resolved see here.

Share via

Unauthorized error send message from function app to eventgrid with Role Based Access for Event Grid Send

1 answer

Your answer