Unable to view Logic App trigger 'Inputs' and 'Outputs' link
Question
Wednesday, August 23, 2017 9:35 AM
I'm trying to troubleshoot occasional trigger failures with a Logic App we have deployed.
The Logic App is triggered by the arrival of a file into an SFTP. These files trickle through every few minutes and every file received so far has processed through - so all the 'Runs' of the Logic App have been successful.
However, I have noticed a small number of errors in the 'Trigger History'; if I view the history item, the errors report a 'CODE' of either "NotFound", "ServiceUnavailable" or "429". I'm not concerned with the 429 errors as these happened when a large batch of files was dumped into the SFTP - but for the other 2 errors, I would like know more - my suspicion based on the 'CODE' messages are some kind of issue accessing the SFTP server.
When I was first experimenting with Logic Apps, I was able to click on the 'Inputs Link' and 'Outputs Link' on viewing a trigger history record, so see relevant information - but if I try to do so now, I receive an error message: (bits in bold changed by me)
{
"type": "MsPortalFx.Errors.AjaxError",
"baseTypes": [
"MsPortalFx.Errors.AjaxError",
"MsPortalFx.Errors.Error"
],
"extension": "Microsoft_Azure_EMA",
"errorLevel": 2,
"timestamp": 688199.0000000001,
"message": "ajaxExtended call failed",
"name": "Error",
"stack": null,
"innerErrors": [],
"jqXHR": {
"readyState": 4,
"responseText": "{\error\:{\code\:\AuthorizationFailed\,\message\:\You do not have permissions to perform action 'read' on scope '/triggers/my_trigger/histories/[tracking ID]/contents/TriggerInputs/'. Verify you are making the request with the appropriate HTTP method. See http://aka.ms/logic-trigger for details.\}}",
"responseJSON": {
"error": {
"code": "AuthorizationFailed",
"message": "You do not have permissions to perform action 'read' on scope '/triggers/my_trigger/histories/[trackingID]/contents/TriggerInputs/'. Verify you are making the request with the appropriate HTTP method. See http://aka.ms/logic-trigger for details."
}
},
"status": 401,
"statusText": "error"
},
"textStatus": "error",
"errorThrown": ""
}
I've tried adding my IP address to the 'IP Ranges for contents' section within the Logic App 'Access control configuration' but I get the same result.
I receive the same message for successfully completed triggers too - any ideas?
Thanks, Tim.
All replies (11)
Monday, October 9, 2017 8:07 AM âś…Answered
I raised a support ticket in the end, didn't realise we had a premier contract :)
Microsoft had an answer very quickly, and a very simple answer at that: there's a known bug with LogicApps whereby if you have a comma in the title of a step, you're unable to view the content of that step and receive the 'unauthorised' message I've been getting.
E.g. "My LogicApp step" is fine, but "My LogicApp step, with a comma" is not.
The fix for me is to remove the commas. Doesn't fix my FTP LogicApp trigger issues but makes life a lot easier!
Thursday, August 24, 2017 9:26 PM
Hi Timmy,
Is this logic app deployed on a resource group where you are resource group contributor, or at least Logic App Operator?
From the top of my head you need the following ACL permissions (at the Resource Group level) in order to manage Logic Apps:
- Reader - Give you read access to all resources under the Resource Group. Without that you can't access the resource group.
- Logic App Operator - Can view the logic app and run history, and enable/disable. Cannot edit or update the definition.
- Logic App Contributor - Provides access to view, edit, and update a logic app. Cannot remove the resource or perform admin operations.
If it is a new resource group/subscription, I suggest you look to see if you have the required permissions.
I hope this helps, Wagner.
Friday, August 25, 2017 7:22 AM
Hi Wagner,
Thanks for the reply - I don't think this is the issue unfortunately. We have 2 subscriptions, 1 for dev/test and 1 for production. I'm listed as a co-owner of both, so have access to do basically anything.
Friday, August 25, 2017 12:08 PM
Hi,
Look at the exception message that it is related to rights on the specific resource group or subscription .
* "message": "You do not have permissions to perform action 'read' on scope '/triggers/my_trigger/histories/[trackingID]/contents/TriggerInputs/'*.
Another option is to look at the sftp log files and see whether sftp is logging any information of the request coming in.
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply
Monday, September 18, 2017 7:25 AM
Thanks for the suggestions Abhishek. I can't see this is a permissions issue (at least an obvious one anyway) as I am an 'owner' of the subscriptions - so I have full access to everything.
I've examined the FTP logs on the server - note the server is an Azure VM - but there is nothing obviously wrong logged in there and no record of the connection attempts.
The last 4 errors are:
Friday, September 15, 2017, 10:43:04 PM, Status: Failed, Code: BadRequest
Friday, September 15, 2017, 8:43:48 PM, Status: Failed, Code: 520
Friday, September 15, 2017, 8:41:47 PM, Status: Failed, Code: ServiceUnavailable
Friday, September 15, 2017, 3:31:35 AM, Status: Failed, Code: NotFound
These all seem a bit random to me!
Monday, September 18, 2017 9:28 AM
Hi Timmy,
All those seems to be more or less in the same time range - is there any chance the server was down during that period? It might explain the errors (as they range from not found to unknown error).
Still doesn't explain your original error - not having access to your own history... Did you manage to get over that btw?
Cheers, Wagner.
Tuesday, September 19, 2017 8:24 AM
Hi Wagner,
No the server was definitely up and running - there is nothing in the logs to suggest it had an issue, and the same server is also used for dev/test; I can see the dev/test accounts accessing the FTP at the same time without issue. Needs a bit more thought :)
Haven't solved the original issue - indeed it almost feels like it has got worse. In some cases when viewing a historical Logic App run, I am unable to actually see the details of an individual step let alone click into it to view inputs/outputs - the step displays the message: (e.g. for a SQL server, execute stored procedure step)
"Unauthorised. Your IP is not in the access IP range, or you don't have permission to access the action's content".
The IP in question has has access to anything I can think of that is relevant - as I say in the first post I've tried adding it to the 'IP Ranges for contents' for the logic app, but makes no difference.
Friday, September 22, 2017 11:25 PM
Hi,
I think you have IP restriction on your SFTP server .
Logic apps has specific IP address for inbound and outbound traffic . Validate Logic apps IP address is white listed within your SFTP server for specific zone under which your logic app is running .
/en-us/azure/logic-apps/logic-apps-limits-and-config
Hope this will resolve your issue
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply
Friday, September 22, 2017 11:59 PM
Timmy,
I suggest you get in touch with the Product team using logicappsbug [at] microsoft [dot] com.
Cheers, Wagner.
Tuesday, October 3, 2017 7:29 AM
I don't think that's the issue Abhishek, but thanks for the suggestion. If it was an issue with LogicApp access, then every attempt would fail - as it is, we've only seen these trigger failures a handful of times and not once since I've posted this issue. The more important issue for me at the moment is being able to access the details of each LogicApp run through the portal, it makes debugging/fault investigation so much more simple.
Wagner: yes good idea, I'll send them an email and post back here if I get any meaningful update.
Saturday, December 8, 2018 2:33 AM
Thank you! I ran into the same problem just now, and this fixed it!!!