ALZ-Bicep
ALZ-Bicep copied to clipboard
Azure
Missing permissions on Datacollection rules for Policy MI
What happened? Provide a clear and concise description of the bug, including deployment details.
I deployed ALZ-Bicep v0.18.0 with the default policy assignments. It created DCR's and a UMI in the management subscription. After deploying a VM in a Online subscription I get policy deployment errors.
The reason for this behaviour is that the DCR is in the platform management group while the policy assignment is on the landingzone management group. The managed identy from the landingzone group has no permissions for the datacollection rules in the management subscription. The same thing is happening for ChangeTracking and UMI assignments.
Please provide the correlation id associated with your error or bug.
c449650d-4e60-4919-a907-9db4811ac4a3
What was the expected outcome?
Creation of a DataCollectionRule Association between the Azure Monitor Agent and the DCR in the Management Subscription.
Relevant log output
The client 'app-id of policy MI' with object id '...' has permission to perform action 'Microsoft.Insights/dataCollectionRuleAssociations/write' on scope '/subscriptions/...onlinesubguid..../resourcegroups/vm-online/providers/Microsoft.Compute/virtualMachines/vm-online/providers/Microsoft.Insights/dataCollectionRuleAssociations/assoc-55mf2y3zlwzjc'; however, it does not have permission to perform action(s) 'Microsoft.Insights/dataCollectionRules/read' on the linked scope(s) '/subscriptions/...mgmt subscription.../resourceGroups/alz-mg-p-rg001/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)
Check previous GitHub issues
- [X] I have searched the issues for this item and found no duplicate
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
tagging @arjenhuitema for awareness and oversight on all things AMA.
Is there something missing from an RBAC role assignment perspective in ALZ Bicep @arjenhuitema that @oZakari can add?
It looks like the Managed Identity of the policy assignments within the Landing Zone scope lacks Reader and Managed Identity Operator permissions on the Platform, which are necessary to access the DCRs and assign the UAMI. I’ve put together a table that shows which permissions are needed for each policy assignment and shared that with @oZakari
we ran into the similar issue today and founds this thread. @arjenhuitema @oZakari could you share that table of permissions here if it hasn't been published elsewhere?
Hey @bgawale and @sandorhofman,
Sorry for the delay. This has been on my radar and something I will be working on hopefully fixing in the next couple of days.
Essentially, the managed identity of the assignment on the Landing Zone scope needs the following permissions:
| Policy | Permissions | Scope for permissions |
|---|---|---|
| Change Tracking Arc/ Hybrid | Reader | Platform/Landing Zones |
| Change Tracking VM | Reader, ManagedIdentityOperator | Platform/Landing Zones |
| Change Tracking VMSS | Reader, ManagedIdentityOperator | Platform/Landing Zones |
| MDfC Defender SQL AMA | Reader, ManagedIdentityOperator | Platform/Landing Zones |
| VM Monitoring Arc/ Hybrid | Reader | Platform/Landing Zones |
| VM Monitoring VM | Reader, ManagedIdentityOperator | Platform/Landing Zones |
| VM Monitoring VMSS | Reader, ManagedIdentityOperator | Platform/Landing Zones |
I have deployed again using v0.20.1 but the permissions are still not assigned.