Share via

How to subscribe systemtopic to eventhub which located in different subscription in same tenant

Charly R A I (CM) 0 Reputation points
2023-08-09T07:04:58.52+00:00

Hi Team,

I am working systemtopic integration to eventhub. I am using following commands to achieve this but I am getting some error.

The Below actioned performed

  1. Service principle created
  2. RBAC created and assigned to source subscription(systemtopic) and destination subscription(Eventhub)
  3.  az login --service-principal -u "xxxx" -p "xxxx" --tenant "xxx" --allow-no-subscriptions -o none (No Error)
  4.  az account set --subscription xxxx (Selecting my source subscription and no error)
  5.  az eventgrid system-topic create --name cloudioresourcehealthSystemTopic --resource-group sourcerg-rg --source /subscriptions/xxx --topic-type microsoft.resourcenotifications.healthresources --location Global (Creating Systemtopic on my source subscription and no error)
  6.  az eventgrid system-topic event-subscription create --endpoint /subscriptions/xxxx/resourceGroups/destinationrg/providers/Microsoft.EventHub/namespaces/CloudIO-Ns/eventhubs/cloudio-001 --endpoint-type eventhub --name cloudioeventsubscription --resource-group cloudio-resource-health-notification-rg --system-topic-name cloudioresourcehealthSystemTopic (Trying to subscribe systemtopic events to my centralised eventhub which is located in different subscription but in same tenant) The service principle has proper RBAC to both subscriptions.

Error:

 Code: LinkedAuthorizationFailed

Message: The client 'xxx' with object id 'xxx' has permission to perform action 'Microsoft.EventGrid/systemTopics/eventSubscriptions/write' on scope 

'/subscriptions/xxxx/resourceGroups/source-rg/providers/Microsoft.EventGrid/systemTopics/cloudioresourcehealthSystemTopic/eventSubscriptions/cloudioeventsubscription'; however, it does not have 

permission to perform action 'write' on the linked scope(s) '/subscriptions/xxxx/resourceGroups/destination-RG/providers/Microsoft.EventHub/namespaces/CloudIO-Ns/eventhubs/cloudio-001' or the linked scope(s) are invalid 

  1. But this service principle has permissions in both subscription

  

 

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,045 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,691 Reputation points
    2023-08-10T13:22:42.27+00:00

    Hello Charly,

    Thank you for your question and for reaching out with your question today.

    The error you're seeing (LinkedAuthorizationFailed) indicates that while your service principal has the necessary permissions to create the event subscription on the system topic, it doesn't have the required permissions to perform write operations on the linked scope, which in this case is the event hub in your destination subscription.

    You can check the following to resolve this:

    Verify that the service principal has the appropriate RBAC permissions in both the source and destination subscriptions.

    Ensure that the service principal's permissions are granted at the correct scope.

    Retry Permissions

    Ensure that you are logged in using the correct service principal and subscription context when executing the CLI commands.

    Check for Typos in the subscription IDs, resource group names, namespaces or other paramaters.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.