Reputation: 23
Azure Policy 'DeployIfNotExists' Error: LinkedAuthorizationFailed for Diagnostic Settings
I'm getting a LinkedAuthorizationFailed error when trying to configure diagnostic settings on a Virtual Network Gateway in Azure, and this configuration is being applied through an Azure Policy using the DeployIfNotExists effect.
Error message:
"code": "LinkedAuthorizationFailed",
"message": "The client has permission to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' on scope '/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/microsoft.network/virtualnetworkgateways/{virtual-network-gateway-name}/providers/Microsoft.Insights/diagnosticSettings/setByPolicy-LogAnalytics', however the linked subscription 'resourcegroups' was not found."
Context: I'm attempting to link diagnostic settings for a Virtual Network Gateway to send logs to a Log Analytics workspace. It seems like there's an issue with permissions or a missing linked resource, but I can't pinpoint the cause. The error mentions the linked subscription 'resourcegroups' was not found..
Things I've tried:
- Verified that I have the necessary permissions on both the Virtual Network Gateway and the Log Analytics workspace.
- Attempted to manually reconfigure the diagnostic settings but still encounter the same error.
Question: What does the linked subscription 'resourcegroups' was not found part of the error mean, and how can I resolve this issue to successfully set up diagnostic logging to my Log Analytics workspace? Could it be related to the resource group or some subscription linking issue?
Any insights or troubleshooting steps would be greatly appreciated!
Upvotes: 2
Views: 72
Answers (1)
Reputation: 71
The linked subscription 'resourcegroups' was not found error in Microsoft Azure typically indicates that the Azure service or resource you are trying to access or reference lives in a different subscription or resource group, or that Azure cannot locate the resource group within the current scope.
Some resources require specific permissions for setting diagnostics, so check if the policy assignment has these permissions by reviewing the required actions, such as Microsoft.Insights/diagnosticSettings/*.
Not having Azure in front of me right now, but regurgitating what I elaborated earlier in my azure hazzles:
Azure’s Policy Management is build on Principle of Least Privilege (POLP). Therefore, Role-Based Access Control is in place. What does that mean? That means that somewhere in your Policy management you want to assign a user, or a group, only with adequate permissions at the assigned level. This helps to ensure that policies remain tamper-resistant.
Further reading in this post
Upvotes: 0
Related Questions
- How to enable diagnostics with bicep for Azure Web PubSub?
- Move Azure Virtual network to another resource group
- How to ensure the diagnostic settings for storage accounts Azure policy is permanently enforced?
- Enable diagnostic settings for Storage account using Azure Policy Definition
- Azure Automation Account policy for Diagnostic Settings
- In Azure can you create a remdiation policy to enable logging in diagnostic settings in a storage account?
- Azure Provisioning state fails for VMSS with custom image & elb
- Using Ansible how can I provision a network interface in Azure and associate it with a virtual network in another resource group?