Synapse Pipeline Storage Trigger - client does not have authorization to perform action 'Microsoft.EventGrid/eventSubscriptions/write'
I am trying to create event triggers for synapse pipelines, specifically for when a blob is created. When I create one and publish, I get the following error message:
The client '...guid...' with object id '...guid...' does not have authorization to perform action 'Microsoft.EventGrid/eventSubscriptions/write' over scope '/subscriptions/...guid.../resourceGroups/...subscription name.../providers/Microsoft.Storage/storageAccounts/...storage acc name.../providers/Microsoft.EventGrid/eventSubscriptions/...guid...' or the scope is invalid. If access was recently granted, please refresh your credentials.
Following other similar questions asked on this, I have the following permissions:
For synapse workspace:
- Contributor
- EventGrid Contributor
For storage account:
- Contributor
- EventGrid Contributor
- Storage Account Contributor
The synapse workspace was also given the following permissions in the storage account:
- Contributor
- Storage Blob Data Contributor
- Storage Account Contributor
The synapse workspace and I are also granted access in the synapse studios access control.
From what I have read online, I have all the necessary permissions, but I am still getting the error after many days of trying. This is the only permission error I am facing, I am able to connect to storage / databases / key vault / logic apps / etc without any issues. It's only triggers I can't create.
Please let me know if anyone has a solution. Thanks!
The error usually occurs if the service principal does not have required roles or permissions like Microsoft.EventGrid/EventSubscriptions/Write to perform the operation.
To resolve the error, you can follow below steps by assigning proper role to service principal:
Initially, find service principal name by searching client guid from error in Enterprise Applications like this:
Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Set filter to All Applications -> Enter client GUID from error in Search -> Copy Name
Now assign Contributor role to above service principal under your storage account like below:
If you prefer to restrict permissions to least privileges, you can assign EventGrid EventSubscription Contributor or EventGrid Contributor role to the service principal.
Make sure to register below resource providers under your subscription like this:
Microsoft.EventGrid:
Microsoft.DataFactory:
I created one event trigger in Synapse pipeline based on blob creation like below:
To confirm that, I uploaded blobs to storage container like below:
Whenever I uploaded blobs to storage container, it triggered events successfully in Synapse pipeline like below:
References:
Azure DevOps Exception: LinkedAuthorizationFailed - Stack Overflow by Joy Wang
- C# API - Provide download of files from Azure Blobstorage
- Zip Azure Storage Files and Return File from Web API returns corrupted files when unzipped
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- Synchronise Azure files to blob store
- Terraform: Error: retrieving static website properties for Storage Account (Subscription: *** : context deadline exceeded
- How to create zip from multiple azure blob files?
- How do I display PDF/image documents stored in Azure storage using Flask + Flutter
- InvalidUri error when transfering the whole OneNote to blob storage
- Azure Storage - track last access time for files
- If blob storage container is private will azure functions need to use sas tokens to access?
- Copy Data From Azure Blob Storage to AWS S3
- Integrating EclipseStream with Micronaut and Azure
- Fast parallel upload of many blobs to Azure in .NET
- Inner function as callback not called
- How can I use Azurite in a command line application?
- How to use Azure.Storage.Blobs.BlobClient.ExistsAsync()?
- how to Skip Api Version Check for Azure blob storage in .NET Aspire
- Blocker when adding a blob action in the logic app
- Azure Blob Storage Error: Missing subscription configuration in .NET Aspire
- How to upload images using postman to azure blob storage
- azure copy blobs across storage accounts fails with ErrorCode:CannotVerifyCopySource
- Issue with assessing data in blob storage using OAuth tokens from a dotnet app
- Azure AI Document Translation Service: Time between "Succeeded" Status and availability of target blobs
- Getting FullContent from blobBaseClient.DownloadToAsync
- Logic App PDF File from Sharepoint uploading to Azure Blob is Blank
- Is there any way to read and process an azure blob as a stream using the python sdk without loading the whole blob into memory?
- Add metadata in a result of skillset Azure AI Search
- Automatically Delete/Expire Azure Blobs after a time period
- "message": "Call to Microsoft.Web/sites failed. Error message: SkuCode 'SKU' is invalid.",