MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.28k stars 21.47k forks source link

GCP Pub/Sub Audit Logs (Preview) Connector errors #119542

Closed nov3mb3r closed 8 months ago

nov3mb3r commented 9 months ago

Following all the steps in the documentation provided in https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual i am trying to set up a connector. However once I provide my subscription's details in the collector (just like in the picture an error appears) image

I have tried uninstalling and reinstalling the connector as stated in this previous issue but no luck https://github.com/MicrosoftDocs/azure-docs/issues/119415

The new following error appears that either has to do with inefficient permissions.

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "BadRequest",
      "message": "Connectivity check failed: Status code:GCPB40001, Message: An unknown exception resulted in the failure to authenticate: Google.Apis.Requests.RequestError\r\nPermission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist). [403]\r\nErrors [\r\n\tMessage[Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).] Location[ - ] Reason[forbidden] Domain[global]\r\n]\r\n"
    }
  ]
}

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

RamanathanChinnappan-MSFT commented 9 months ago

@nov3mb3r Thanks for your feedback! We will investigate and update as appropriate.

yelevin commented 9 months ago

@yaelrbergman Here's a continuation of what you were investigating.

ejohn20 commented 9 months ago

@nov3mb3r - I just ran into this error message and it happened when my service account was in a different GCP project than the pub/sub subscription. After moving the service account into the same project as the pub/sub subscription, the connector works.

@yaelrbergman - can you confirm that using a central project in the org for all service accounts and granting x-project permissions to the subscription is not supported? This would require you to impersonate the service account in one project, and then use the token to access the subscription in a different project? I'm not sure if there is an assumption they are both using the same project id / number?

batamig commented 9 months ago

label:"backlog-item-created"

SaibabaBalapur-MSFT commented 9 months ago

@nov3mb3r I'm going to assign this to the document author so they can take a look at it accordingly.

yaelrbergman commented 9 months ago

@ejohn20 The service account and subscription must be in the same project.

To collect logs for resources throughout the entire organization:

Select your organization in the project selector.

Follow the instructions in the Google Cloud documentation to set up a sink for collecting logs.

Choose a Name that reflects the purpose of log collection for export to Microsoft Sentinel. Select "Cloud Pub/Sub topic" as the destination type, and choose the default "Use a Cloud Pub/Sub topic in a project". Enter the destination in the following format: pubsub.googleapis.com/projects/{PROJECT_ID}/topics/{TOPIC_ID}

And if you are using terraform: terraform apply -var="organization-id= {organizationId} "

ejohn20 commented 9 months ago

@yaelrbergman - I think same project limitation should be documented if it's not already (it's very possible I missed it somewhere). Can we add that detail to the Set up GCP environment section?

Also, I realize that this is the docs repo. It is a pretty common architecture in GCP to centralize all service accounts in the org into a single project, and then grant permissions for those service accounts to resources housed in other projects. In this example, I would want the service account to live in our "identity" project. Then, I can grant the sentinel service account the consume and get permissions on the sentinel subscription that lives in the "logging" project. Is there a place to request this feature to be added to the data connector?

nov3mb3r commented 9 months ago

@ejohn20 Yes it is :) A more general question to everybody. Should the names(Service account/provider) on the GCP have a specific name? I tried replicating using exactly the documentation's names and one attempt with different ones. However the issues still persists

yaelrbergman commented 9 months ago

@nov3mb3r The naming we suggest for GCP is not mandatory. I don't think that's the issue's source

yelevin commented 8 months ago

@yaelrbergman - I think same project limitation should be documented if it's not already (it's very possible I missed it somewhere). Can we add that detail to the Set up GCP environment section?

@ejohn20 @nov3mb3r @yaelrbergman This requirement has been added to the documentation. Publishing of these changes is pending.

yelevin commented 8 months ago

A more general question to everybody. Should the names(Service account/provider) on the GCP have a specific name? I tried replicating using exactly the documentation's names and one attempt with different ones. However the issues still persists

@nov3mb3r Do you have a support ticket open for your persisting issue?

batamig commented 8 months ago

assign:yelevin

yelevin commented 8 months ago

I'm closing this issue for now. Feel free to comment further on this issue (don't open another one for the same problem). When support resolves this issue I will update the documentation further as necessary.

please-close