我正在尝试使用MSAL Python库在Azure活动日志中创建警报。以下是我的代码:
from azure.identity import ClientSecretCredential
from azure.mgmt.monitor import MonitorManagementClient
MSAL_CLIENT_ID = "<My Client Id>"
MSAL_CLIENT_SECRET = "<My Client Secret>"
TENANT_ID = "<My Tenant Id>"
credentials = ClientSecretCredential(
client_id = MSAL_CLIENT_ID,
client_secret = MSAL_CLIENT_SECRET,
tenant_id = TENANT_ID
)
SUBSCRIPTION_ID = "<My Subscription Id>"
monitor_client = MonitorManagementClient(
credential=credentials,
subscription_id=SUBSCRIPTION_ID
)
GROUP_NAME = "<My Resource Group Name>"
ACTIVITY_LOG_ALERT_NAME = "test"
log_alert = monitor_client.activity_log_alerts.create_or_update(
GROUP_NAME,
ACTIVITY_LOG_ALERT_NAME,
{
"location": "Global",
"scopes": [
"subscriptions/" + SUBSCRIPTION_ID
],
"enabled": True,
"condition": {
"all_of": [
{
"field": "category",
"equals": "Administrative"
},
{
"field": "level",
"equals": "Error"
}
]
},
"actions": {
"action_groups": [
]
},
"description": "Sample activity log alert description"
}
)
print("Create activity log alert:\n{}".format(log_alert))但我得到了以下错误
HttpResponseError Traceback(最近的调用最后一次)~\应用程序数据\本地\临时\ipykernel_24988\3130136741.py in ----〉1日志警报=监视器客户端活动日志警报创建或更新(2组名称,3活动日志警报名称,4 { 5“位置”:“全球”,
C:\程序数据\Anaconda 3\环境文件\hlgdev\库\站点包\azure\核心\跟踪\装饰器. py在 Package 器使用跟踪器(* 参数,**kwargs)76中span_impl_type =设置.跟踪实现()77如果span_impl_type为“无”:---〉78 return func(*args,**kwargs)79 80 #设置合并范围参数,但仅当未传递显式父对象时
C:\ProgramData\Anaconda 3\envs\hlgdev\lib\site-packages\azure\mgmt\monitor\v2020_10_01\operations_activity_log_alerts_operations.py创建或更新(自身,资源组名称,活动日志警报名称,活动日志警报规则,**kwargs)381Map错误(状态代码=响应.状态代码,响应=响应,错误Map=错误Map)382错误=自身.反序列化.故障安全反序列化(模型.错误响应,管道响应)--〉383引发HttpResponseError(响应=响应,模型=错误,错误格式= ARMErorFormat)384 385如果响应.状态代码== 200:
HttpResponseError: (AuthorizationFailed) The client '17abcd' with object id '17abcd' does not have authorization to perform action 'Microsoft.Insights/activityLogAlerts/write' over scope '/subscriptions/59abcd/resourceGroups/MyResource/providers/Microsoft.Insights/activityLogAlerts/test' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '17abcd'' with object id '17abcd'' does not have authorization to perform action 'Microsoft.Insights/activityLogAlerts/write' over scope '/subscriptions/59abcd/resourceGroups/MyResource/providers/Microsoft.Insights/activityLogAlerts/test' or the scope is invalid. If access was recently granted, please refresh your credentials.请帮帮忙,非常感谢!
1条答案
按热度按时间mw3dktmi1#
我尝试运行下面的代码与服务主体与所有者或贡献者角色在订阅级别的代码运行成功如下:-
订阅级别的服务主体角色:-
现在,我尝试使用另一个服务主体创建相同的活动日志,但没有所有者或贡献者角色,只有读者角色。失败,错误代码与您的相同:-
输出失败:-
我在资源组级别添加了具有Contributor角色作用域的同一服务主体,错误已解决:-
输出运行成功:-
确保在Azure订阅中的订阅或资源组级别至少为你的应用/服务主体分配了参与者或所有者角色。