Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run KQL query action through user managed identity gets 403 when logic app's system managed identity is enabled #1222

Open
nanma321 opened this issue Oct 25, 2024 · 0 comments
Open

Run KQL query action through user managed identity gets 403 when logic app's system managed identity is enabled #1222

nanma321 opened this issue Oct 25, 2024 · 0 comments

Comments

@nanma321
Copy link

nanma321 commented Oct 25, 2024
edited
Loading

Describe the Bug

In the standard logic app deployed from Azure Portal, the system managed identity is enabled by default. However, the workflow action "Run KQL query" from connector Azure Data Explorer gets a 403 forbidden error through user managed identity authentication (see below for the error message), unless the logic app's system managed identity is disabled.

Error message:

Error from token exchange: Permission denied due to missing connection ACL: User = <User mananged identity's principal Id>@<User mananged identity's tenant Id> appid=<User mananged identity's principal Id>, connection=logic-apis-eastus/kusto/<GUID>

Plan Type

Standard

Steps to Reproduce the Bug or Issue

  1. Deploy a standard logic app through portal, which should have system managed identity enabled
  2. Add a user managed identity that has access to a Kusto cluster to the logic app
  3. Create a workflow and add a "Run KQL query" action. Specify that the authentication is through the User managed identity
  4. Run the workflow, which returns a 403 forbidden on the KQL query action

Additionally, I repeated the below steps a couple of times, which shows a consistent behavior that having both system MI and UMI together yields 403:

  1. Disable system managed identity. Use the existing connector with UMI yields 403 forbidden. But creating a new connector with the same UMI works.
  2. Re-enable system managed identity. Use the existing UMI works. But creating a new connector with the same UMI yields 403 again.

Workflow JSON

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Run_KQL_query": {
                "type": "ApiConnection",
                "inputs": {
                    "host": {
                        "connection": {
                            "referenceName": <Kusto connection name>
                        }
                    },
                    "method": "post",
                    "body": {
                        "cluster": <Kusto cluster endpoint>,
                        "db": <Kusto DB name>,
                        "csl": <Some simple query like take 5 from a table>
                    },
                    "path": "/ListKustoResults/false"
                },
                "runAfter": {}
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "triggers": {
            "Recurrence": {
                "type": "Recurrence",
                "recurrence": {
                    "interval": 1,
                    "frequency": "Week"
                }
            }
        }
    },
    "kind": "Stateful"
}

Screenshots or Videos

No response

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nanma321