I'm trying to get read access to Azure Log Analytics from my app and did the following steps:
- Registered App under the “App registrations” in AD portal
- Added platform: Web; redirect URI: http://localhost/auth under the Authentication tab
- Requested and granted to this App API permissions to read Log Analytics Data: Log Analytics API : Data read : Type Application : Status Granted
and then, using this code, trying to read:
SECRET="XXXXXXXXXXX"
CLIENT="e7207353-ee8d-4bcc-9580-bfaaf2c0da7e"
URI="http://localhost/auth"
RESOURCE="management.azure.com"
TARGET="https://$RESOURCE/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query?api-version=1"
# (1) Obtain token
RESP=$(curl --silent -H "Content-Type: application/x-www-form-urlencoded" -X POST \
-d "grant_type=client_credentials&client_id=${CLIENT}&resource=https://${RESOURCE}&client_secret=${SECRET}&redirect_uri=${URI}" \
https://login.microsoftonline.com/...orgTenantID.../oauth2/token )
TOKEN=$(echo "$RESP" | jq -r .access_token)
# (2) Call Log Analytics API
curl --silent -X POST \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"query": "AzureActivity | limit 10"}' $TARGET | jq
but while successfully obtaining token, getting ‘AuthorizationFailed’ when calling Log Analytics:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '02531282-409c-4752-8b10-4f995ceaac5d' with object id '02531282-409c-4752-8b10-4f995ceaac5d' does not have authorization to perform action 'microsoft.operationalinsights/workspaces/query/read' over scope '/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
Where I can be wrong? Access was granted few days ago, so any delays in propagation, hopefully, passed. Anyway, what 'refresh your credentials' can mean for this case? Anything else?
Appreciate your help. Thank you.
=== Post answer update === Use the API to access loganalytics data as described here - https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/request-format so vars for the code above should be:
RESOURCE="api.loganalytics.io"
TARGET="https://$RESOURCE/v1/workspaces/...LAW_ID.../query"
You will need to grant your Service Principal (app registration) Azure RBAC rights on the log analytics workspace for it to be able to read the data, this is separate to any rights you may have granted through Azure AD.