I created a Service principal in azure and assigned my service principal to the custom role which I have created with set of permission in that particular subscription.
With the service principal, I am able to create a key vault, Storage account, and function app and so on.
But when I execute this particular command
Set-AzDiagnosticSetting -Name $diagnosticLogsSettingsName -ResourceId $resource.ResourceId -StorageAccountId $diagnosticLogStorageAccount.Id -Enabled $true -Category $Categories -MetricCategory AllMetrics -RetentionEnabled $true -RetentionInDays 90
I am getting the following error
Set-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status
03:24:52 Error message: Set-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status
03:24:52 code:Forbidden, Reason phrase: Forbidden
Not sure why I am getting forbidden error
Could anyone Please help me to resolve the issue. Thanks in advance
2
Answers
Able to resolve the issue By adding the following permission to my custom role.
I came to know to add this permission by executing the following command in "-Debug" mode which will give a clear error with the missing permission
So just need to add -Debug flag at the end of command
One of the workaround you can follow to resolve the above issue;
Based on this GitHub Blog
Alternatively, please find this SO THREAD| Enabling diagnostic settings for Azure Storage Account using PowerShell as suggested by ,@Joy Wang .
We have tried with the suggested PowerShell script and it works fine
NOTE:- Please make sure that we are providing the correct workspace ID(Log analytics workspace ID) and resource ID(Storage account resource ID) .
OUTPUT DETAILS FOR REFERENCE:-
