question

bombbe avatar image
0 Votes"
bombbe asked bombbe answered

The remote server returned an error: (403) Forbidden when installin extension to Azure VM

Hi,
I'm using following line in my Azure Runbook to enable diagnostic settings for Azure vm

 if ($vm.StorageProfile.OsDisk.OsType -eq 'Windows' -and $vmStatus -match 'VM running')
     {
           
         $extensions = Get-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name 'Microsoft.Insights.VMDiagnosticsSettings' -ErrorAction SilentlyContinue
         #Make sure the extension is not already installed before attempting to install it
         if (-not $extensions)
         {
               
          Write-Output "Adding Windows Azure Diagnostics extension to configure VM: $($vm.Name)"
          $result = set-AzVMDiagnosticsExtension -ResourceGroupName $vm.ResourceGroupName `
             -VMName $vm.Name `
             -DiagnosticsConfigurationPath "$sastoken" `
             -StorageAccountName "nameofstoageaccount" `
             -StorageAccountKey "$StorageAccountKey"
    
                    }
         else
         {
             Write-Output  "Skipping VM - Azure Diagnostics Extension already installed"
                      
        
               }

$StorageAccountKey, $sastoken and $vm are configured top of script and those are working.

When running the following lines I will get Error "The remote server returned an error: (403) Forbidden."

More detailed error:

  set-AzVMDiagnosticsExtension : The remote server returned an error: (403) Forbidden. At line:377 char:20 + ... $result = set-AzVMDiagnosticsExtension -ResourceGroupName $vm.Resou ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Set-AzVMDiagnosticsExtension], WebException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureRmVMDiagnosticsExtensionCommand

I have enabled in nsg access to storage with Service tags and in storage account I have enabled "allow access for all networks". I tested from vm side that i was able to test-netconnection to storage account urls.

It seems somehow that Runbook would not able do to enable that extension but really can't find out why and what should I try next. After I CTRL C + V script to Powershell and was able to get it working so there should not neither be syntax or variable errors.

azure-automation
· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@bombbe Thanks for reaching out and providing the script that you are using. From the information provided, I could see that the parameters you are passing for Set-AzVMDiagnosticsExtension is incorrect. "Set-AzVMDiagnosticsExtension" command uses a diagnostics configuration file to enable diagnostics. Instead of passing configuration file path, you are providing the sasToken of storage account. Kindly check and revert if you have further questions.

0 Votes 0 ·
bombbe avatar image bombbe SwathiDhanwada-MSFT ·

Hi,
my configuration file to enable diagnostics is stored in storage account which is in different subscription that my vm. Top of that my the storage account where I send data is not located in same subscription than vm.

So in what kinda format should I use in $DiagnosticsConfigurationPath if my configuration file is stored in storage account which is in different subscription that my vm?

Currently my my $SASToken would print something like this = https://StorageAccountName.blob.core.windows.net/vm/DiagnosticsPubConfig.xml?sv=2019-07-07&sr=b&sig=YOCcIDNrYpvQ4%2BfJim5IGDPopfjTN%2BCwxxujVEcwObc%3D&st=2021-03-16T15%3B54%3A13Z&se=2021-03-17T17%3A54%3A13Z&sp=r

So that least there are "path" to configuration file (https://StorageAccountName.blob.core.windows.net/vm/DiagnosticsPubConfig.xm) in the start of $SASToken





0 Votes 0 ·

And this is where I found this / took idea how it could be done ( I have gotten it work from Powershell -> to Vm in Azure but not from Runbook

azure-runbook-enable-guest-level-diagnostics


0 Votes 0 ·
Show more comments

@bombbe Have you tried to check if the file is accessible from automation account? And also check what value is being passed to the PowerShell command ?

You can test it with below steps. Also check type of the value that is being passed whether it is string or not.

 $a = Invoke-WebRequest $SasToken
 $b = $a.content
 write-output $b



0 Votes 0 ·
Show more comments

1 Answer

bombbe avatar image
0 Votes"
bombbe answered

problem "solved" with comments in this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.