I am trying to create event triggers for synapse pipelines, specifically for when a blob is created. When I create one and publish, I get the following error message:
The client '...guid...' with object id '...guid...' does not have authorization to perform action 'Microsoft.EventGrid/eventSubscriptions/write' over scope '/subscriptions/...guid.../resourceGroups/...subscription name.../providers/Microsoft.Storage/storageAccounts/...storage acc name.../providers/Microsoft.EventGrid/eventSubscriptions/...guid...' or the scope is invalid. If access was recently granted, please refresh your credentials.
Following other similar questions asked on this, I have the following permissions:
For synapse workspace:
For storage account:
The synapse workspace was also given the following permissions in the storage account:
The synapse workspace and I are also granted access in the synapse studios access control.
From what I have read online, I have all the necessary permissions, but I am still getting the error after many days of trying. This is the only permission error I am facing, I am able to connect to storage / databases / key vault / logic apps / etc without any issues. It's only triggers I can't create.
Please let me know if anyone has a solution. Thanks!
The error usually occurs if the service principal does not have required roles or permissions like Microsoft.EventGrid/EventSubscriptions/Write
to perform the operation.
To resolve the error, you can follow below steps by assigning proper role to service principal:
Initially, find service principal name by searching client guid from error in Enterprise Applications like this:
Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Set filter to All Applications -> Enter client GUID from error in Search -> Copy Name
Now assign Contributor role to above service principal under your storage account like below:
If you prefer to restrict permissions to least privileges, you can assign EventGrid EventSubscription Contributor or EventGrid Contributor role to the service principal.
Make sure to register below resource providers under your subscription like this:
Microsoft.EventGrid
:
Microsoft.DataFactory
:
I created one event trigger in Synapse pipeline based on blob creation like below:
To confirm that, I uploaded blobs to storage container like below:
Whenever I uploaded blobs to storage container, it triggered events successfully in Synapse pipeline like below:
References:
Azure DevOps Exception: LinkedAuthorizationFailed - Stack Overflow by Joy Wang