Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,111 questions
problem "solved" with comments in this thread.
The remote server returned an error: (403) Forbidden when installin extension to Azure VM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 56.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Bombbe
1,611
Reputation points
Hi,
I'm using following line in my Azure Runbook to enable diagnostic settings for Azure vm
if ($vm.StorageProfile.OsDisk.OsType -eq 'Windows' -and $vmStatus -match 'VM running')
{
$extensions = Get-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name 'Microsoft.Insights.VMDiagnosticsSettings' -ErrorAction SilentlyContinue
#Make sure the extension is not already installed before attempting to install it
if (-not $extensions)
{
Write-Output "Adding Windows Azure Diagnostics extension to configure VM: $($vm.Name)"
$result = set-AzVMDiagnosticsExtension -ResourceGroupName $vm.ResourceGroupName `
-VMName $vm.Name `
-DiagnosticsConfigurationPath "$sastoken" `
-StorageAccountName "nameofstoageaccount" `
-StorageAccountKey "$StorageAccountKey"
}
else
{
Write-Output "Skipping VM - Azure Diagnostics Extension already installed"
}
$StorageAccountKey, $sastoken and $vm are configured top of script and those are working.
When running the following lines I will get Error "The remote server returned an error: (403) Forbidden."
More detailed error:
set-AzVMDiagnosticsExtension : The remote server returned an error: (403) Forbidden. At line:377 char:20 + ... $result = set-AzVMDiagnosticsExtension -ResourceGroupName $vm.Resou ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Set-AzVMDiagnosticsExtension], WebException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureRmVMDiagnosticsExtensionCommand
I have enabled in nsg access to storage with Service tags and in storage account I have enabled "allow access for all networks". I tested from vm side that i was able to test-netconnection to storage account urls.
It seems somehow that Runbook would not able do to enable that extension but really can't find out why and what should I try next. After I CTRL C + V script to Powershell and was able to get it working so there should not neither be syntax or variable errors.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT 17,321 Reputation points2021-03-22T09:56:46.173+00:00 @Bombbe Thanks for reaching out and providing the script that you are using. From the information provided, I could see that the parameters you are passing for Set-AzVMDiagnosticsExtension is incorrect. "Set-AzVMDiagnosticsExtension" command uses a diagnostics configuration file to enable diagnostics. Instead of passing configuration file path, you are providing the sasToken of storage account. Kindly check and revert if you have further questions.
-
Bombbe 1,611 Reputation points
2021-03-23T14:22:10.753+00:00 Hi,
my configuration file to enable diagnostics is stored in storage account which is in different subscription that my vm. Top of that my the storage account where I send data is not located in same subscription than vm.So in what kinda format should I use in $DiagnosticsConfigurationPath if my configuration file is stored in storage account which is in different subscription that my vm?
Currently my my $SASToken would print something like this = https://StorageAccountName.blob.core.windows.net/vm/DiagnosticsPubConfig.xml?sv=2019-07-07&sr=b&sig=YOCcIDNrYpvQ4%2BfJim5IGDPopfjTN%2BCwxxujVEcwObc%3D&st=2021-03-16T15%3B54%3A13Z&se=2021-03-17T17%3A54%3A13Z&sp=r
So that least there are "path" to configuration file (https://StorageAccountName.blob.core.windows.net/vm/DiagnosticsPubConfig.xm) in the start of $SASToken
-
Bombbe 1,611 Reputation points
2021-03-23T14:43:02.09+00:00 And this is where I found this / took idea how it could be done ( I have gotten it work from Powershell -> to Vm in Azure but not from Runbook
-
SwathiDhanwada-MSFT 17,321 Reputation points
2021-03-25T12:52:48.62+00:00 @Bombbe Have you tried to check if the file is accessible from automation account? And also check what value is being passed to the PowerShell command ?
You can test it with below steps. Also check type of the value that is being passed whether it is string or not.
$a = Invoke-WebRequest $SasToken $b = $a.content write-output $b -
SwathiDhanwada-MSFT 17,321 Reputation points
2021-03-31T12:15:56.007+00:00 @Bombbe Did you get chance to check my previous comment ? Kindly revert if you are still facing the issue.
-
Bombbe 1,611 Reputation points
2021-03-31T12:25:14.147+00:00 Automation account has not access to the file in storage account because of firewall rules. We have solve them somehow. Automation account is not listed as "trusted microsoft service" and whitelisting automation account ip's are kinda impossible in storage account firewall.
-
SwathiDhanwada-MSFT 17,321 Reputation points
2021-03-31T12:47:08.293+00:00 @Bombbe Microsoft has released Azure Automation Private Link feature. Kindly note that Automation account cloud jobs cannot access Azure resources that are secured using private endpoint, such as a Storage Account. However, you can use a Hybrid Worker Group in Azure Automation and grant access to the IP address in storage account.
-
SwathiDhanwada-MSFT 17,321 Reputation points
2021-04-05T05:39:08.79+00:00 @Bombbe Did you get chance to review previous comments ? Kindly let me know if you have further questions.
-
SwathiDhanwada-MSFT 17,321 Reputation points
2021-04-06T06:55:08.39+00:00 @Bombbe Hope the information shared is helpful for you. Feel free to revert if you have any questions.
Sign in to comment