Managed HSM - Diagnostic settings - event hub - AZ cli #24425
Description
SAS token for event hub requires “manage” to be accepted. Manage should not be required. Please remove this bug!
PS H:__AzureDevOps\AZUR.ManagedHSM\AZUR.ManagedHSM> az monitor diagnostic-settings create --name "_to_event_hub" --resource $keyVaultID --logs '[{""category"": ""AuditEvent"", ""enabled"":true}]' --event-hub /subscriptions//resourceGroups/rt-002/providers/Microsoft.EventHub/namespaces//eventhubs/*********** --event-hub-rule /subscriptions//resourceGroups/-002/providers/Microsoft.EventHub/namespaces/*/authorizationRules/****************
(BadRequest) If a valid EventHub name is not specified in the diagnostic setting, the EventHub authorization rule requires manage|send|listen access, this EventHub authorization rule does not have 'manage'
access.
Code: BadRequest
Message: If a valid EventHub name is not specified in the diagnostic setting, the EventHub authorization rule requires manage|send|listen access, this EventHub authorization rule does not have 'manage' access.
If SAS token has “manage” permissions it works:
PS H:__AzureDevOps\AZUR.ManagedHSM\AZUR.ManagedHSM> az monitor diagnostic-settings create --name "mhsmlogs_to_event_hub" --resource $keyVaultID --logs '[{""category"": ""AuditEvent"", ""enabled"":true}]' --event-hub /subscriptions//resourceGroups/rg-log-mgmt-002/providers/Microsoft.EventHub/namespaces//eventhubs/************* --event-hub-rule /subscriptions//resourcegroups//providers/Microsoft.EventHub/namespaces/evhn-logg-pr-swc-001/eventhubs//authorizationrules/*
(BadRequest) "Resource type 'microsoft.eventhub/namespaces/eventhubs/authorizationrules' is invalid for property 'properties.eventHubAuthorizationRuleId'. Expected types are 'microsoft.servicebus/namespaces/authorizationrules', 'microsoft.eventhub/namespaces/authorizationrules'"
Code: BadRequest
Message: "Resource type 'microsoft.eventhub/namespaces/eventhubs/authorizationrules' is invalid for property 'properties.eventHubAuthorizationRuleId'. Expected types are 'microsoft.servicebus/namespaces/authorizationrules', 'microsoft.eventhub/namespaces/authorizationrules'"
This is the output from “az monitor diagnostic-settings list --resource $keyVaultID”
{
"eventHubAuthorizationRuleId": "/subscriptions//resourceGroups/-002/providers/Microsoft.EventHub/namespaces//authorizationRules/",
"eventHubName": "",
"id": "/subscriptions/******/resourcegroups/-001/providers/microsoft.keyvault/managedhsms/*********/providers/microsoft.insights/diagnosticSettings/mhsmlogs_to_event_hub",
"identity": null,
"kind": null,
"location": null,
"logAnalyticsDestinationType": null,
"logs": [
{
"category": "AuditEvent",
"categoryGroup": null,
"enabled": true,
"retentionPolicy": null
}
],
"marketplacePartnerId": null,
"metrics": [],
"name": "mhsmlogs_to_event_hub",
"resourceGroup": "****r-001",
"serviceBusRuleId": null,
"storageAccountId": null,
"systemData": null,
"tags": null,
"type": "Microsoft.Insights/diagnosticSettings",
"workspaceId": null
},
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: b9ae3afa-74ff-12e8-a32c-c01240bd37da
- Version Independent ID: 522b7e55-2510-8e51-021a-2fc134fabfbe
- Content: az monitor diagnostic-settings
- Content Source: latest/docs-ref-autogen/monitor/diagnostic-settings.yml
- Service: monitoring-and-diagnostics
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw