0

I am trying to create event triggers for synapse pipelines, specifically for when a blob is created. When I create one and publish, I get the following error message:

The client '...guid...' with object id '...guid...' does not have authorization to perform action 'Microsoft.EventGrid/eventSubscriptions/write' over scope '/subscriptions/...guid.../resourceGroups/...subscription name.../providers/Microsoft.Storage/storageAccounts/...storage acc name.../providers/Microsoft.EventGrid/eventSubscriptions/...guid...' or the scope is invalid. If access was recently granted, please refresh your credentials.

Following other similar questions asked on this, I have the following permissions:

For synapse workspace:

  • Contributor
  • EventGrid Contributor

For storage account:

  • Contributor
  • EventGrid Contributor
  • Storage Account Contributor

The synapse workspace was also given the following permissions in the storage account:

  • Contributor
  • Storage Blob Data Contributor
  • Storage Account Contributor

The synapse workspace and I are also granted access in the synapse studios access control.

From what I have read online, I have all the necessary permissions, but I am still getting the error after many days of trying. This is the only permission error I am facing, I am able to connect to storage / databases / key vault / logic apps / etc without any issues. It's only triggers I can't create.

Please let me know if anyone has a solution. Thanks!

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Chad Goldsworthy
  • 69
  • 1
  • 7
  • 1
    Search client GUID from error in **Enterprise Applications** of your Azure AD tenant by selecting *All applications* and find service principal name. After getting name, assign `Contributor` role to that service principal under your storage account. – Sridevi May 20 '23 at 07:09

1 Answers1

2

The error usually occurs if the service principal does not have required roles or permissions like Microsoft.EventGrid/EventSubscriptions/Write to perform the operation.

To resolve the error, you can follow below steps by assigning proper role to service principal:

Initially, find service principal name by searching client guid from error in Enterprise Applications like this:

Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Set filter to All Applications -> Enter client GUID from error in Search -> Copy Name

enter image description here

Now assign Contributor role to above service principal under your storage account like below:

enter image description here

If you prefer to restrict permissions to least privileges, you can assign EventGrid EventSubscription Contributor or EventGrid Contributor role to the service principal.

Make sure to register below resource providers under your subscription like this:

Microsoft.EventGrid:

enter image description here

Microsoft.DataFactory:

enter image description here

I created one event trigger in Synapse pipeline based on blob creation like below:

enter image description here

To confirm that, I uploaded blobs to storage container like below:

enter image description here

Whenever I uploaded blobs to storage container, it triggered events successfully in Synapse pipeline like below:

enter image description here

References:

Failed to Subscribe / Failed to Activate Storage Event Trigger in Azure Synapse Analytics by Cathrine Wilhelmsen

Azure DevOps Exception: LinkedAuthorizationFailed - Stack Overflow by Joy Wang

Sridevi
  • 10,599
  • 1
  • 4
  • 17