Cannot create event grid subscription - internal error

Question

Cannot create event grid subscription - internal error

Jesper Stocholm 1

I am following the guide at https://devblogs.microsoft.com/devops/introducing-azure-devops-audit-stream/ to set up an Event grid for auditing in Azure DevOps. However - when the Event Grid Subscription is deployed, an error is reported.

Deployment has failed with the following error: {"code":"Internal error","message":"The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes.

I have tried multiple times over a few days and even had our Azure admin (with GA permissions) to the same thing. The portal still reports an error.

The error encourages me to report these key points to this forum.

f9e31068-6830-4d9d-981a-0c463f98db30:12/7/2021 10:24:33 AM (UTC)

Please help :-)

MayankBargali-MSFT 70,936 Reputation points Moderator

2021-12-08T03:05:55.373+00:00

@Jesper Stocholm Apology for the inconvenience due to this issue. Can you please retry the operation and let me know if you still facing the issue.
Aleksandr Komarov 1 Reputation point

2021-12-08T11:21:32.353+00:00

I have been facing same issue already for few days when event subscription has enabled dead-lettering with checked "Use system assigned identity for dead-lettering" both during ARM template deployment and manual creation via azure portal:

Topic has "Storage Blob Data Contributor" role assignment to dead letters container.

Deployment has failed with the following error: {"code":"Internal error","message":"The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report e6358350-96ec-44e8-ab87-72e1ce5dd80c: 12/8/2021 10:57:31 AM (UTC) to our forums for assistance or raise a support ticket ."}
Jesper Stocholm 1 Reputation point

2021-12-08T15:25:06.017+00:00

Hi @MayankBargali-MSFT

I just tried again - same result.

1 answer

Your answer

MayankBargali-MSFT 70,936 Reputation points Moderator

2021-12-08T03:05:55.373+00:00

@Jesper Stocholm Apology for the inconvenience due to this issue. Can you please retry the operation and let me know if you still facing the issue.
Aleksandr Komarov 1 Reputation point

2021-12-08T11:21:32.353+00:00

I have been facing same issue already for few days when event subscription has enabled dead-lettering with checked "Use system assigned identity for dead-lettering" both during ARM template deployment and manual creation via azure portal:

Topic has "Storage Blob Data Contributor" role assignment to dead letters container.

Deployment has failed with the following error: {"code":"Internal error","message":"The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report e6358350-96ec-44e8-ab87-72e1ce5dd80c: 12/8/2021 10:57:31 AM (UTC) to our forums for assistance or raise a support ticket ."}
Jesper Stocholm 1 Reputation point

2021-12-08T15:25:06.017+00:00

Hi @MayankBargali-MSFT

I just tried again - same result.

Answer 1

@Jesper Stocholm Apology for the delay. I have looked into the backend logs and as the assigned permission does not have the send message access so the event grid creation fails. You need to assign Storage Queue Data Message Sender permission. As per the blog article I see the role assign as Storage Queue Data Contributor which does not have the send message permission on the queue.
As there was a recent change to validate the permission on the destination endpoint and I will reach out to the author of the blog to update it to reflect the right permission.

@Aleksandr Komarov You need to update the permission to Storage Queue Data Message Sender now. If you are using ARM template then you need to add the below section to their existing template to assign managed identity of the topic/domain/system topic to the destination resource.

{  
    "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",  
    "apiVersion": "2020-04-01-preview",  
    "name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/', variables('uniqueRoleGuidStorageAccount'))]",  
    "dependsOn": [  
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentity'))]"  
    ],  
    "properties": {  
        "roleDefinitionId": "[variables('storageBlobDataContributor')]",  
        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentity')), '2018-11-30').principalId]",      
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",  
        "principalType": "ServicePrincipal"  
    }  
}

Feel free to get back to me if you need any help.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Share via

Cannot create event grid subscription - internal error

1 answer

Your answer