Azure

Azure 日誌分析 API 讀取

  • October 28, 2022

我正在嘗試從我的應用程序中獲取對 Azure Log Analytics 的讀取權限,並執行了以下步驟:

  1. 在 AD 門戶中的“應用註冊”下註冊的應用
  2. 新增平台:Web;重定向 URI:http://localhost/auth 在身份驗證選項卡下
  3. 請求並授予此應用 API 讀取 Log Analytics 數據的權限:Log Analytics API:讀取數據:類型應用程序:授予狀態

然後,使用此程式碼,嘗試閱讀:

SECRET="XXXXXXXXXXX"
CLIENT="e7207353-ee8d-4bcc-9580-bfaaf2c0da7e"
URI="http://localhost/auth"
RESOURCE="management.azure.com"
TARGET="https://$RESOURCE/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query?api-version=1"

# (1) Obtain token
RESP=$(curl --silent -H "Content-Type: application/x-www-form-urlencoded" -X POST \
           -d "grant_type=client_credentials&client_id=${CLIENT}&resource=https://${RESOURCE}&client_secret=${SECRET}&redirect_uri=${URI}" \
        https://login.microsoftonline.com/...orgTenantID.../oauth2/token )

TOKEN=$(echo "$RESP" | jq -r .access_token)

# (2) Call Log Analytics API
curl --silent -X POST \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{"query": "AzureActivity | limit 10"}' $TARGET | jq

但在成功獲取令牌時,呼叫 Log Analytics 時出現“AuthorizationFailed”:

{
 "error": {
   "code": "AuthorizationFailed",
   "message": "The client '02531282-409c-4752-8b10-4f995ceaac5d' with object id '02531282-409c-4752-8b10-4f995ceaac5d' does not have authorization to perform action 'microsoft.operationalinsights/workspaces/query/read' over scope '/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query' or the scope is invalid. If access was recently granted, please refresh your credentials."
 }
}

我哪裡錯了?訪問權限是幾天前授予的,因此傳播中的任何延遲都有望過去。無論如何,對於這種情況,“刷新您的憑據”意味著什麼?還要別的嗎?

感謝你的幫助。謝謝你。

=== 發布答案更新 === 使用 API 訪問 loganalytics 數據,如此處所述- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/request-format上面的程式碼應該是:

RESOURCE="api.loganalytics.io"
TARGET="https://$RESOURCE/v1/workspaces/...LAW_ID.../query"

您需要在日誌分析工作區上授予您的服務主體(應用註冊)Azure RBAC 權限,以便它能夠讀取數據,這與您可能通過 Azure AD 授予的任何權限是分開的。

引用自:https://serverfault.com/questions/1114181