GCP Pub/Sub Audit Logs (Preview) Connector errors

[nov3mb3r]

Following all the steps in the documentation provided in https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual i am trying to set up a connector. However once I provide my subscription's details in the collector (just like in the picture an error appears)

I have tried uninstalling and reinstalling the connector as stated in this previous issue but no luck https://github.com/MicrosoftDocs/azure-docs/issues/119415

The new following error appears that either has to do with inefficient permissions.

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "BadRequest",
      "message": "Connectivity check failed: Status code:GCPB40001, Message: An unknown exception resulted in the failure to authenticate: Google.Apis.Requests.RequestError\r\nPermission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist). [403]\r\nErrors [\r\n\tMessage[Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).] Location[ - ] Reason[forbidden] Domain[global]\r\n]\r\n"
    }
  ]
}

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 43f19491-9910-342b-b0c9-022a8418f043
• Version Independent ID: 299b7da8-ab37-1ca3-adbd-ef4e63683d7b
• Content: Ingest Google Cloud Platform log data into Microsoft Sentinel
• Content Source: articles/sentinel/connect-google-cloud-platform.md
• Service: microsoft-sentinel
• GitHub Login: @yelevin
• Microsoft Alias: yelevin

[RamanathanChinnappan-MSFT]

@nov3mb3r Thanks for your feedback! We will investigate and update as appropriate.

[yelevin]

@yaelrbergman Here's a continuation of what you were investigating.

[ejohn20]

@nov3mb3r - I just ran into this error message and it happened when my service account was in a different GCP project than the pub/sub subscription. After moving the service account into the same project as the pub/sub subscription, the connector works.

@yaelrbergman - can you confirm that using a central project in the org for all service accounts and granting x-project permissions to the subscription is not supported? This would require you to impersonate the service account in one project, and then use the token to access the subscription in a different project? I'm not sure if there is an assumption they are both using the same project id / number?

[batamig]

label:"backlog-item-created"

[SaibabaBalapur-MSFT]

@nov3mb3r I'm going to assign this to the document author so they can take a look at it accordingly.

[yaelrbergman]

@ejohn20 The service account and subscription must be in the same project.

To collect logs for resources throughout the entire organization:

Select your organization in the project selector.

Follow the instructions in the Google Cloud documentation to set up a sink for collecting logs.

Choose a Name that reflects the purpose of log collection for export to Microsoft Sentinel. Select "Cloud Pub/Sub topic" as the destination type, and choose the default "Use a Cloud Pub/Sub topic in a project". Enter the destination in the following format: pubsub.googleapis.com/projects/{PROJECT_ID}/topics/{TOPIC_ID}

And if you are using terraform: terraform apply -var="organization-id= {organizationId} "

[ejohn20]

@yaelrbergman - I think same project limitation should be documented if it's not already (it's very possible I missed it somewhere). Can we add that detail to the Set up GCP environment section?

Also, I realize that this is the docs repo. It is a pretty common architecture in GCP to centralize all service accounts in the org into a single project, and then grant permissions for those service accounts to resources housed in other projects. In this example, I would want the service account to live in our "identity" project. Then, I can grant the sentinel service account the consume and get permissions on the sentinel subscription that lives in the "logging" project. Is there a place to request this feature to be added to the data connector?

[nov3mb3r]

@ejohn20 Yes it is :) A more general question to everybody. Should the names(Service account/provider) on the GCP have a specific name? I tried replicating using exactly the documentation's names and one attempt with different ones. However the issues still persists

[yaelrbergman]

@nov3mb3r The naming we suggest for GCP is not mandatory. I don't think that's the issue's source

[yelevin]

@yaelrbergman - I think same project limitation should be documented if it's not already (it's very possible I missed it somewhere). Can we add that detail to the Set up GCP environment section?

@ejohn20 @nov3mb3r @yaelrbergman This requirement has been added to the documentation. Publishing of these changes is pending.

[yelevin]

A more general question to everybody. Should the names(Service account/provider) on the GCP have a specific name? I tried replicating using exactly the documentation's names and one attempt with different ones. However the issues still persists

@nov3mb3r Do you have a support ticket open for your persisting issue?

[batamig]

assign:yelevin

[yelevin]

I'm closing this issue for now. Feel free to comment further on this issue (don't open another one for the same problem). When support resolves this issue I will update the documentation further as necessary.

please-close