search

Azure / logicapps

Azure Logic Apps labs, samples, and tools
MIT License
368 stars 302 forks source link

Run KQL query action through user managed identity gets 403 when logic app's system managed identity is enabled #1222

Open nanma321 opened 3 weeks ago

nanma321 commented 3 weeks ago

Describe the Bug

In the standard logic app deployed from Azure Portal, the system managed identity is enabled by default. However, the workflow action "Run KQL query" from connector Azure Data Explorer gets a 403 forbidden error through user managed identity authentication (see below for the error message), unless the logic app's system managed identity is disabled.

Error message:

Error from token exchange: Permission denied due to missing connection ACL: User = <User mananged identity's principal Id>@<User mananged identity's tenant Id> appid=<User mananged identity's principal Id>, connection=logic-apis-eastus/kusto/<GUID>

Plan Type

Standard

Steps to Reproduce the Bug or Issue

  1. Deploy a standard logic app through portal, which should have system managed identity enabled
  2. Add a user managed identity that has access to a Kusto cluster to the logic app
  3. Create a workflow and add a "Run KQL query" action. Specify that the authentication is through the User managed identity
  4. Run the workflow, which returns a 403 forbidden on the KQL query action

Additionally, I repeated the below steps a couple of times, which shows a consistent behavior that having both system MI and UMI together yields 403:

  1. Disable system managed identity. Use the existing connector with UMI yields 403 forbidden. But creating a new connector with the same UMI works.
  2. Re-enable system managed identity. Use the existing UMI works. But creating a new connector with the same UMI yields 403 again.

Workflow JSON

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Run_KQL_query": {
                "type": "ApiConnection",
                "inputs": {
                    "host": {
                        "connection": {
                            "referenceName": <Kusto connection name>
                        }
                    },
                    "method": "post",
                    "body": {
                        "cluster": <Kusto cluster endpoint>,
                        "db": <Kusto DB name>,
                        "csl": <Some simple query like take 5 from a table>
                    },
                    "path": "/ListKustoResults/false"
                },
                "runAfter": {}
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "triggers": {
            "Recurrence": {
                "type": "Recurrence",
                "recurrence": {
                    "interval": 1,
                    "frequency": "Week"
                }
            }
        }
    },
    "kind": "Stateful"
}

Screenshots or Videos

No response

Additional context

No response