Search code examples
azureazure-runbook

Why am I getting an authorization failed exception for creating a webhook for a runbook?

I am trying to create a webhook for a a runbook that I created. In the UI, the "New Webhook" button is greyed out and unable to be selected. When I attempt the New-AzureRmAutomationWebhook powershell command, it it fails with the following exception:

New-AzureRmAutomationWebhook : AuthorizationFailed: The client '*****' with object id '******-****-****-****-**********' does not have authorization to perform action 'Microsoft.Automation/automationAccounts/webhooks/action' over scope '/subscriptions/*****/resourceGroups/*******/providers/Microsoft.Automation/automationAccounts/********/webhooks/generateUri' where asterisks are my account specific information.

I am part of a group that is an owner of the resource group that the runbook and automation account are in. What are some reasons that I could be seeing this error and how can I remedy it?

Thanks!

Solution

  • If I understand correctly, you are able to successfully create the RunBook but receive the above authZ exception when you attempt to create the webhook for the runbook? This certainly looks like a RBAC issue so the first thing I would suggest you check is your RBAC assignments on the Automation account. You can view the roles assigned to you via the Azure Portal or PowerShell using Get-AzureRmRoleAssignment
    Ensure that you have the "Owner" role on the resource group hosting the Automation account. I can confirm that "owner" role on the Resource group is all you need to create the webhook alias. The fact that the button is greyed out suggests you may be missing a required role assignment which is causing the failure. Also check to see if you have any Azure management policies on your subscription (or resource group) blocking creation of webhook resources. The only other way the button may be greyed out is if the Runbook is in draft mode and hasn't been published as you can only create a webhook for a published runbook. That said, the error you would receive will specifically state there is no published version associated to the runbook which doesn't seem to be the case in your scenario. Here are a few resources that may be helpful: 1. managing RBAC assignments for Azure Automation 2. Starting an Azure Automation Runbook with a Webhook