Azure-Functions
Azure-Functions copied to clipboard
Azure
Azure Portal: Cannot access "Monitor" as "Monitoring Reader"
My apologies if I'm filing this issue in the wrong repository, however I couldn't find a repository where I could post issues for Azure Functions in the Azure Portal.
I've been granted the following pre-made RBAC roles on a Function App:
| Role | Description | Scope |
|---|---|---|
| Monitoring Reader | Can read all monitoring data | Resource group (Inherited) |
| Reader | View all resources but does not allow you to make any changes | Resource group (Inherited) |
When I navigate to "Functions" in the Function App and select a specific Azure Function, I cannot access the "Monitor" section of the Function. When I hover over "Monitor" it says "This feature requires write permission to your app".
This seems like a bug, as I'd expect to be able to read monitoring data as a "Monitoring Reader", since it says "Can read all monitoring data".
Note: as this is a production environment, I do not want to have write permissions as the message suggests.
Hi @ThomasVandenbon, More than a bug, its a role assignment issue and requires a support ticket for resolution. Please follow the below path to raise a support ticket- Portal > menu > help and support >New support request
@v-bbalaiagar I was hopeful when you wrote that this is more than a bug.
We opened a support request and have since received some answers.
-
The first answer suggested that we had failed to correctly apply the Monitoring Reader / Reader roles and guided us on how to do this. This was however not the case and the roles were correctly set.
-
The second answer then confirmed the issue (after reproducing it on the side of Microsoft) and escalated it to a Technical Advisor.
-
The final answer then informed us that this is by design 😒 telling us to go vote for a fix here: https://feedback.azure.com/forums/355860-azure-functions/suggestions/35024440-enable-reader-access-to-view-azure-functions-monit
What baffles me, is that every person I've spoken to has instantly identified it as a bug, yet there seems to be no inclination to fix this in the near future. 🤷♂️
Also, if it was that easy to do via Application Insights, then why would there even be a need for this screen.
It seems I won't be monitoring my Azure Functions in the near future...
Bumping this because I'm confused about what the necessary role is to access "Monitor" for azure functions. I'm an owner at the subscription level, and yet the "monitor" blade is greyed out for me in the Azure functions project, with the prompt "this feature requires write permission to your app".
I had access to the Monitor blade as recently as a month ago, and to my knowledge no role changes have happened. Are there new role requirements/workarounds that I need to access the monitor blade?
N.B. it looks like there are ongoing Azure AD issues, at time of writing this, so maybe that's the real issue
Hi @denalisk, Thank you for your feedback! Checking internally on this issue and update you with the findings.
@v-bbalaiagar it does look like my issue was likely connected to the AD issues at the time, I have since been able to access the monitor blade in my function resource
Hi @ThomasVandenbon, Closing this issue as this issue hasn't re-occurred. Please feel free to reach back to us in case of any further queries related to this issue.
@v-bbalaiagar, I don't understand what you mean by not re-occuring?
As far as I know, nothing has changed. Which means that a user with the "Monitoring reader" and/or "Reader" role cannot use the "Monitor" feature of Azure Functions.
Hi @ThomasVandenbon, Apologies for the confusion, I shall discuss this internally and get back to you with the findings.
@v-bbalaiagar @ehamai any update on this issue? a user looking to read logs, or data under the monitor tab should not be required to have contributor access and be able to delete the items
any update? I am facing the same issue, the Azure Function Monitoring tab is grayed-out however correct RBAC roles are applied.
Yes, I know App Insights is an option, but for what we want to share - simple, succinct run logs - the monitoring tab is perfect. App Insights and KUSTO can be a bit overwhelming for new folks.
Wouldn't it be both more intuitive and more secure (least-privilege principles) if we didn't have to grant contributor level access in order to read logs? Do we have any other options? Custom roles, etc?
Sorry I wasn't tracking this thread. The reason why you need contributor access is because the ikey/connection string for your AI resource is stored as an app setting which can contain secrets. If we wanted to remove the contributor requirement, we'd need the runtime itself to support it as something other than an app setting. @fabiocav I'll let you respond, but unless someone from the runtime decides to change this dependency, then this isn't something that can be fixed from the portal itself.
It doesn't look like there is any secrets exposed via the monitor panel, so I don't see why the monitor reader role should be restricted from in. What is the monitor reader role for if not the monitor panel?
Agreed. Not allowing the "monitoring reader" role to "read the monitor" seems pretty unintuitive. If it's true that reading secrets is required to use that tab, then it seems like reading secrets needs to be identified as an individual permission? Factor it out. Then, we can give that permission to both the "contributor" and "monitoring reader" roles.
Or - because I know introducing a new, granular permission and editing the permission sets of established roles is a big deal and would take some evaluation- is there some other way we can improve the experience for the monitoring reader role? Such as having the portal detect that the current page visitor has monitoring reader but not contributor, and then popup a link that directs them over to AppInsights? Preferably with the KQL prefilled with the same query that is feeding the monitor tab? Anything would help.
Devs link over to those run logs because they are succinct and useful. They want to share logs with others via a link. Those others are frustrated when they can't view those pages without getting edit rights on the object. How can we lessen the friction here?
I suppose we can create a custom role to be able to see Monitor... which of the actions listed in the documentation is appropriate? Or is it a different one that is not listed?
It is not the best solution, but it is a possibility with the inconsistency of this topic. There is no point in having that role and not being able to see the Function Apps monitor.
@ehamai Just to clarify your earlier comment,
If we wanted to remove the contributor requirement, we'd need the runtime itself to support it as something other than an app setting
Is this referring to the functions runtime? Are these appsettings read via arm? Or is there some api that exposed by functions runtime?
We tried to create a custom role, following the documentation... and we have no progress on this issue
Is it possible to list which permissions are needed to be able to use Monitor in Function Apps when we don't want to assign Contributor, so we can create a custom role?
I actually have contributor permission at the subscription level, and still can't get this to work.
looking at it again, it's definitely buggy. I refreshed the azure portal, and it was fine, i could access it.
I added Website contributor role that azure provide build-in roles and there is not gray-out on "monitor" screen of azure portal. Just for your information.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor
I added Website contributor role that azure provide build-in roles and there is not gray-out on "monitor" screen of azure portal. Just for your information.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor
so... is this a workaround?
When using a custom role with the permission "Microsoft.Web/sites/Write" monitor is not greyed-out.
The description for the permission says "Create a new Web App or update an existing one" which might not be an acceptable level of permission for users whos job is to "monitor" the function.
Have any one else found a permission that enables "monitor" with out giving the user some sort of contributor role?
