Description
Describe the bug
Unable to enable and configure flow log for network security group, using a storage account in either the NetworkWatcherRG or another existing resource group
Exception or Stack Trace
The client has permission to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' on scope '/subscriptions/{subscription_id}/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_usgovvirginia', however the linked subscription 'resourcegroups' was not found
To Reproduce
- retrieve network watchers
- for network watcher in correct region
- retrieve flow settings for existing network security group in the region
- update flow settings to enable logging and set storage to existing storage account
Code Snippet
final PagedList<NetworkWatcher> nws = adapter.getItsAzure().networkWatchers().list();
NetworkWatcher retval = null;
for(final NetworkWatcher nw : nws ) {
if(nw.region().equals(Region.GOV_US_VIRGINIA)) {
retval = nw;
}
}
final ResourceGroup rg = adapter.getItsAzure().resourceGroups().getByName(retval.resourceGroupName());
final StorageAccount sa = adapter.getItsAzure().storageAccounts().define(ResourceNameType.STORAGE_ACCOUNT.randomName("networkwatchersa"))
.withRegion(Region.GOV_US_VIRGINIA)
.withExistingResourceGroup(rg)
.withAccessFromAllNetworks()
.create();
final String rgName = "resource-group-38f6628eccb84ec9aa1cd9b3c8f5f815";
final NetworkSecurityGroup nsg = adapter.getItsAzure().networkSecurityGroups().getByResourceGroup(rgName, "add-network1-nat-securitygroup");
final FlowLogSettings fls = retval.getFlowLogSettings(nsg.id());
LOGGER.info("Found fls with enabled {} and storage id {}", fls.enabled(), fls.storageId());
fls.update()
.withLogging()
.withStorageAccount(sa.id())
.apply();
Expected behavior
Expect to be able to enable flow logs for the nsg in a storage account, or a more elaborate error message, I cannot currently determine what the issue is
Setup (please complete the following information):
- OS: macOS
- IDE : Eclipse Version: 2019-06 (4.12.0)
- Version of the Library used: 1.22
Additional context
Call has been attempted with the Service Principal as both a contributor and owner in the subscription. I am trying to understand the error message as the sdk call seems straight forward. I suspect it is a permissions or ownership issue.
Update: confirmed this is still and issue in version 1.23