Creating an Azure Event Grid Topic Error - "does not have authorization to perform action"

Question

I'm writing a python script that is intended to create Event Grid Topics.

I'm following a couple of Microsoft tutorials and Github repos and have written some python code to create topics.

---

Python samples: https://learn.microsoft.com/en-us/samples/azure-samples/event-grid-python-public-consume-events/event-grid-python-public-consume-events/

Github Repos: https://github.com/Azure-Samples/event-grid-python-public-consume-events

Azure Service Principal: https://azure.microsoft.com/documentation/articles/resource-group-create-service-principal-portal

---

I've come up with this python code:

def CreateOrUpdateTopics(subscriptionId, clientId, clientSecret,tenantId,resourceGroup,location, topics):   

        credentials = ServicePrincipalCredentials(
            client_id=clientId,
            secret=clientSecret,
            tenant=tenantId
            )

        print("\nCreate event grid management client")
        event_grid_client = EventGridManagementClient(credentials, subscriptionId)

        for topic in topics:
            print(f'\nCreating EventGrid topic {topic}')
            topic_result_poller = event_grid_client.topics.create_or_update(resourceGroup,
                                                                     topic,
                                                                     Topic(
                                                                         location=location,
                                                                         tags={'createdBy': 'MCCC'}
                                                                     ))
            # Blocking call            
            topic_result = topic_result_poller.result()

            ## ERROR SHOWS UP HERE
            print(topic_result)

When I execute the code I receive a message

The client 'zzzz' with object id 'zzzz' does not have authorization to perform action 'Microsoft.EventGrid/topics/write' over scope '/subscriptions/zzz/resourceGroups/MCCC-RG/providers/Microsoft.EventGrid/topics/Temperature' or the scope is invalid. If access was recently granted, please refresh your credentials.

I registered a new app in Azure Active Directory:

I've also assigned a role to the resource group for the SP.

It seems like i'm missing some role access on my service principle though I can't seem to find a reference to what it should be.

Could you please point me in the right direction?

Answer 1

Looking at the role definition of EventGrid EventSubscription Contributor, it does not have the permission to perform Microsoft.EventGrid/topics/write action. Only following actions are allowed:

      "Microsoft.Authorization/*/read",
      "Microsoft.EventGrid/eventSubscriptions/*",
      "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
      "Microsoft.EventGrid/locations/eventSubscriptions/read",
      "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Resources/deployments/*",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Support/*"

What you would need to do is to create a Custom Role that has Microsoft.EventGrid/topics/write as one of the allowed actions.

From the same link, here's one definition of custom role that you could create and use:

{
  "Name": "Event grid contributor role",
  "Id": "4BA6FB33-2955-491B-A74F-53C9126C9514",
  "IsCustom": true,
  "Description": "Event grid contributor role",
  "Actions": [
    "Microsoft.EventGrid/*/write",
    "Microsoft.EventGrid/*/delete",
    "Microsoft.EventGrid/topics/listkeys/action",
    "Microsoft.EventGrid/topics/regenerateKey/action",
    "Microsoft.EventGrid/eventSubscriptions/getFullUrl/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<Subscription id>"
  ]
}

Answer 2

For anyone coming back to this, I'd recommend leveraging the built-in "EventGrid Contributor" role rather than creating your own unless there is a very specific reason you need to do so: if you need both Microsoft.EventGrid/*/write and Microsoft.EventGrid/*/delete then you are probably safe to simply use Microsoft.EventGrid/*.

EDIT:

Side note in case anyone else gets stuck on the same thing I did: it turns out that the EventGrid Contributor roles don't actually allow any data actions. Only "EventGrid Data Sender" can send, which is quite a bizarre gap since "EventGrid Contributor" has wildcard access to all non-data EventGrid actions.

"dataActions": [
  "Microsoft.EventGrid/events/send/action"
],

TL;DR: if you have an identity that does both manages topics and publishes events, said identity will need a role assignment for the "Data Sender" role as well as one of the "Contributor" roles... or you roll your own custom one for single assignment.

Answer 3

If you've experienced the issue with :

Issue: The client 'XXXXXXXXX' with object id 'XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.EventGrid/eventSubscriptions/write' over scope '/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.KeyVault/vaults/XXXX/providers/Microsoft.EventGrid/eventSubscriptions/XXXX' or the scope is invalid.

Resolution: Provide RBAC role "EventGrid EventSubscription Contributor" to app registration you used to connect.

Note: You may experience issues with event subscription or topic and in both scenarios its event grid who is taking care of it.