Open
Description
Describe the bug
When an Azure function is created, the CLI attempts to create the application insights in the default resource group rather than within the resource group specified. If the user has the right to create the application insights in the specified resource group, but not in the default resource group the command fails with:
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
Running the functionapp create command with --debug:
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '462'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
...
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxxxxx@xxxxxxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
The application insights can be manually created with
az monitor app-insights component create `
--location $location `
--app $function_name `
--kind web `
--resource-group $resource_group `
--application-type web `
--retention-time 120
The issue mentioned above is caused by the application insights not using the specified resource group.
Related command
az functionapp create --name "$function_name" `
--storage-account "$storage_account_id" `
--plan "$plan_id" `
--resource-group "$resource_group" `
--functions-version "$functions_version" `
--image "$registry_name.azurecr.io/$image_name" `
--registry-password "$password" `
--registry-username "$username"
where the App Services Plan is a B3 Linux plan and the function version is 4.
Errors
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
Running the functionapp create command with --debug:
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '462'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
...
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxxx@xxxxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
Issue script & Debug output
Command:
az functionapp create --name "$function_name" `
--storage-account "$storage_account_id" `
--plan "$plan_id" `
--resource-group "$resource_group" `
--functions-version "$functions_version" `
--image "$registry_name.azurecr.io/$image_name" `
--registry-password "$password" `
--registry-username "$username"
--debug
Error message:
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
Source of error:
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '462'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
...
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxx@xxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.
Expected behavior
The application insights should be created in the resource group that is specified when the function is created.
Environment Summary
azure-cli 2.61.0
core 2.61.0
telemetry 1.1.0
Extensions:
application-insights 1.2.1
Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1
Python location 'C:\Users\xxxxx\AppData\Local\Programs\Python\Python311\python.exe'
Extensions directory 'C:\Users\xxxxx\.azure\cliextensions'
Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec 4 2023, 19:24:49) [MSC v.1937 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
