Azure
Azure 日誌分析 API 讀取
我正在嘗試從我的應用程序中獲取對 Azure Log Analytics 的讀取權限,並執行了以下步驟:
- 在 AD 門戶中的“應用註冊”下註冊的應用
- 新增平台:Web;重定向 URI:http://localhost/auth 在身份驗證選項卡下
- 請求並授予此應用 API 讀取 Log Analytics 數據的權限:Log Analytics API:讀取數據:類型應用程序:授予狀態
然後,使用此程式碼,嘗試閱讀:
SECRET="XXXXXXXXXXX" CLIENT="e7207353-ee8d-4bcc-9580-bfaaf2c0da7e" URI="http://localhost/auth" RESOURCE="management.azure.com" TARGET="https://$RESOURCE/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query?api-version=1" # (1) Obtain token RESP=$(curl --silent -H "Content-Type: application/x-www-form-urlencoded" -X POST \ -d "grant_type=client_credentials&client_id=${CLIENT}&resource=https://${RESOURCE}&client_secret=${SECRET}&redirect_uri=${URI}" \ https://login.microsoftonline.com/...orgTenantID.../oauth2/token ) TOKEN=$(echo "$RESP" | jq -r .access_token) # (2) Call Log Analytics API curl --silent -X POST \ -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \ -d '{"query": "AzureActivity | limit 10"}' $TARGET | jq
但在成功獲取令牌時,呼叫 Log Analytics 時出現“AuthorizationFailed”:
{ "error": { "code": "AuthorizationFailed", "message": "The client '02531282-409c-4752-8b10-4f995ceaac5d' with object id '02531282-409c-4752-8b10-4f995ceaac5d' does not have authorization to perform action 'microsoft.operationalinsights/workspaces/query/read' over scope '/subscriptions/XXXXXXX/resourceGroups/myRG01/providers/Microsoft.OperationalInsights/workspaces/law-01/api/query' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
我哪裡錯了?訪問權限是幾天前授予的,因此傳播中的任何延遲都有望過去。無論如何,對於這種情況,“刷新您的憑據”意味著什麼?還要別的嗎?
感謝你的幫助。謝謝你。
=== 發布答案更新 === 使用 API 訪問 loganalytics 數據,如此處所述- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/request-format上面的程式碼應該是:
RESOURCE="api.loganalytics.io" TARGET="https://$RESOURCE/v1/workspaces/...LAW_ID.../query"
您需要在日誌分析工作區上授予您的服務主體(應用註冊)Azure RBAC 權限,以便它能夠讀取數據,這與您可能通過 Azure AD 授予的任何權限是分開的。