Forbidden to trigger Logic App workflow via HTTP request

Question

Hi,
I am having troubles allowing our client id to trigger LA run. Not sure how to add the missing permissions.
Listing runs history via API works just fine with our API credentials but triggering new run gets Forbidden error:

The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Logic/workflows/triggers/run/action' over scope '/subscriptions/{my_subscription_id}/resourceGroups/{my_resource_group}/providers/Microsoft.Logic/workflows/{my_workflow}/triggers/manual'

Some details are in the following thread https://github.com/Azure/azure-sdk-for-python/pull/12535#issuecomment-658109542

Any suggestions how to resolve it?

Answer 1

Access to Azure Resources and Actions is controlled via Azure RBAC. The application whose Client ID you are using doesn't have the required permissions based on the error. Since its able to access run history, it probably is assigned the Logic App Operator role, which doesn't include the required Microsoft.Logic/workflows/triggers/run/action permission.

With this being the case, your option would be to either assign it the Logic App Contributor role which grants it a lot many more permissions or create a custom role that includes the required Microsoft.Logic permissions.