Unable to add service principle, groups to the $logs container in adls2

Praneeth H 26

Recently enabled storage analytics on ADLS Gen2 storage account.I can see the $logs container and the logs are writing to this on an hourly basis. But when I'm trying to add service principal to this container getting permission denied. I'm able to successfully add SP's to other containers from storage explorer but not to $logs, any special permission is required to achieve this?

HarithaMaddi-MSFT 10,136 Reputation points

2020-10-12T07:33:15.663+00:00

Hi @Praneeth H ,

Welcome to Microsoft Q&A Platform. Thanks for posting the query.

I was also facing this issue when I tried to add SP from Storage Explorer but the same was working from Azure Portal. I reached out to Product team to get more insights on this, I will get back to you as soon as I hear from them.

Thanks for your patience!
Praneeth H 26 Reputation points

2020-10-12T15:16:58.223+00:00

Thanks, were you able to add from IAM at the $logs container level?
HarithaMaddi-MSFT 10,136 Reputation points

2020-10-12T15:44:57.833+00:00

@Praneeth H - Yes, was able to add from IAM at the $logs container.
Praneeth H 26 Reputation points

2020-10-13T13:58:13.347+00:00

Thanks, this worked for me.
HarithaMaddi-MSFT 10,136 Reputation points

2020-10-14T07:52:03.537+00:00

Hi @Praneeth H - Thanks for confirming that alternative approach to add RBAC role from portal worked. When we add access from storage explorer, it corresponds to ACL(Access Control List) which is more granular compared to RBAC. Product team is looking into it and would like to know if there is any specific requirement to add ACL level permission for Service Principal to $logs container.

Please let us know the additional details as it would help us in assisting you better. Thanks for your patience!
HarithaMaddi-MSFT 10,136 Reputation points

2020-10-16T08:18:37.34+00:00

Hi @Praneeth H ,

We have not received a response from you. Can you please share additional details on the requirement as our product team requested for the info. Please let us know if workaround of RBAC role is sufficient for your scenario as that will help us to mark above workaround as answer which would be beneficial for all community members.

Looking forward for your response!

Accepted answer

HarithaMaddi-MSFT 10,136 Reputation points

2020-10-19T08:27:14.957+00:00
Thanks @Praneeth H for your patience. I got confirmation from Product team that the inability to set ACLs on $logs is by design. As confirmed earlier on the workaround of assigning RBAC permissions from portal, please suggest for any further queries and we will be glad to assist.

-----------------------------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.

1 person found this answer helpful.
HarithaMaddi-MSFT 10,136 Reputation points

2020-10-20T06:29:11.97+00:00

Hi @Praneeth H ,

We have not received a response from you. Please let us know if above details helped clarify the question and if workaround provided is helpful.

Please do consider to click on "Accept Answer" and "Up-vote" on the post that helps you, as it can be beneficial to other community members

HarithaMaddi-MSFT 10,136 Reputation points

2020-10-21T08:25:04.25+00:00

Hi @Praneeth H ,

We still have not heard back from you. Following up to check if above details helped clarify the question and if workaround provided is helpful.

Please do consider to click on "Accept Answer" and "Up-vote" on the post that helps you, as it can be beneficial to other community members
Sign in to comment

Share via

Unable to add service principle, groups to the $logs container in adls2

0 additional answers