Hi Team,
I’m trying to write an Azure Source Plugin and the authentication with the cloud requires a Microsoft.Authorization/roleAssignments/write access. Why isn’t the read access working as we’re only trying to fetch/query the data?
Hi! Can you please share the redacted config you are using?
kind: source
spec:
# Source spec section
name: "azure"
path: "cloudquery/azure"
version: "v9.3.4"
destinations: ["postgresql"]
tables: ["*"]
spec:
# Optional parameters
Following this way of authentication demands the write access.
Looking at it now, I see it says:
az ad sp create-for-rbac --name cloudquery-sp --scopes /subscriptions/$SUBSCRIPTION_ID --role Reader
So it only required Reader. Where do you see the reference to write access?
When I run the command, I get the following output:
MacBook-Pro ~ % az ad sp create-for-rbac --name cloudquery-sp --scopes /subscriptions/$SUBSCRIPTION_ID --role Reader
(AuthorizationFailed) The client '******' with object id '*******' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/******/providers/Microsoft.Authorization/roleAssignments/****' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '******' with object id '******' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/******/providers/Microsoft.Authorization/roleAssignments/******' or the scope is invalid. If access was recently granted, please refresh your credentials.
So you need writer access to create a reader role, but then you can use the reader role. Basically, you need to define which you want to use for fetching if it doesn’t already exist.