我正在尝试从我的应用程序中获取对 Azure Log Analytics 的读取权限,并执行了以下步骤:
- 在 AD 门户中的“应用注册”下注册的应用
- 新增平台:Web;重定向 URI:http://localhost/auth 在身份验证选项卡下
- 请求并授予此应用 API 读取 Log Analytics 数据的权限:Log Analytics API:读取数据:类型应用程序:授予状态
然后,使用此代码,尝试阅读:
SECRET="XXXXXXXXXXX"
CLIENT="e7207353-ee8d-4bcc-9580-bfaaf2c0da7e"
URI="http://localhost/auth"
RESOURCE="management.azure.com"
TARGET="https://$RESOURCE/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query?api-version=1"
# (1) Obtain token
RESP=$(curl --silent -H "Content-Type: application/x-www-form-urlencoded" -X POST \
-d "grant_type=client_credentials&client_id=${CLIENT}&resource=https://${RESOURCE}&client_secret=${SECRET}&redirect_uri=${URI}" \
https://login.microsoftonline.com/...orgTenantID.../oauth2/token )
TOKEN=$(echo "$RESP" | jq -r .access_token)
# (2) Call Log Analytics API
curl --silent -X POST \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"query": "AzureActivity | limit 10"}' $TARGET | jq
但在成功获取令牌时,调用 Log Analytics 时出现“AuthorizationFailed”:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '02531282-409c-4752-8b10-4f995ceaac5d' with object id '02531282-409c-4752-8b10-4f995ceaac5d' does not have authorization to perform action 'microsoft.operationalinsights/workspaces/query/read' over scope '/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
我哪里错了?访问权限是几天前授予的,因此传播中的任何延迟都有望过去。无论如何,对于这种情况,“刷新您的凭据”意味着什么?还要别的吗?
感谢你的帮助。谢谢你。
=== 发布答案更新 === 使用 API 访问 loganalytics 数据,如此处所述- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/request-format上面的代码应该是:
RESOURCE="api.loganalytics.io"
TARGET="https://$RESOURCE/v1/workspaces/...LAW_ID.../query"
您需要在日志分析工作区上授予您的服务主体(应用注册)Azure RBAC 权限,以便它能够读取数据,这与您可能通过 Azure AD 授予的任何权限是分开的。