Creating an EventHub with capture configuration using Bicep script fails saying the user does not have the required data plane write permissions

Stoian, Claudiu 20 Reputation points
2024-05-29T06:04:22.3266667+00:00

I'm running a bicep script to create a couple of resources in my resource group. When it comes to event hub, I would like to use the capture functionality to store events inside a storage account gen 2. The bicep script is running from DevOps pipeline using a user assigned managed identity which has Storage Blob Data Contributor assigned in the scope of the storage account. The event hub creation fails with the following error:

SubCode=40000. Generic: Linked access check failed for capture storage destination /subscriptions/********-****-****-****-************/resourceGroups/****01/providers/Microsoft.Storage/storageAccounts/*****01. User or the application with object id 4f54f0d7-29a9-4e4c-8b04-************ making the request doesn't have the required data plane write permissions. Please enable Microsoft.Storage/storageAccounts/blobServices/containers/write, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write permission(s) on above resource for the user or the application and retry. TrackingId:ce8baea8-4020-4f0c-a8d7-23a35c65c96f_G30, SystemTracker:xabac-joule-eh-dev-01.servicebus.windows.net:trades, Timestamp:2024-05-27T08:13:22 (Code: MessagingGatewayBadRequest)

dapnpstortrading01 is the storage account where I would like to store the events.

4f54f0d7-29a9-4e4c-8b04--------- is the object id for the user assigned managed identity used by the pipeline to create resources.

What is the problem here ?

Thank you!

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,862 questions
Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
585 questions
0 comments
Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 83,966 Reputation points Microsoft Employee
    2024-05-29T07:38:31.4566667+00:00

    @Stoian, Claudiu - Thanks for the question and using MS Q&A platform.

    The error message indicates that the user assigned managed identity used by the pipeline to create resources does not have the required data plane write permissions on the storage account. Specifically, the error message suggests that the Microsoft.Storage/storageAccounts/blobServices/containers/write and Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write permissions need to be enabled on the storage account for the user or the application.

    You mentioned that the user assigned managed identity has Storage Blob Data Contributor assigned in the scope of the storage account. However, this role does not include the required permissions mentioned in the error message.

    To resolve the issue, you need to grant the user assigned managed identity with Storage Blob Data Owner permissions on the storage account. You can do this by adding a role assignment for the managed identity on the storage account with the required permissions. Specifically, you need to add the Microsoft.Storage/storageAccounts/blobServices/containers/write and Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write permissions to the role assignment.User's image

    Once you have added the required permissions to the role assignment, you should be able to create the event hub with capture configuration using the Bicep script without any issues.

    For more detials, refer to Capture events through Azure Event Hubs in Azure Blob Storage or Azure Data Lake Storage - Azure Storage account as a destination

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest