I've created a YAML pipeline in Azure DevOps to deploy Azure Data Factory using the below task:
- task: deploy-adf-json@2
inputs:
azureSubscription: '<subscription name>'
ResourceGroupName: '<rg name>'
DatafactoryName: '<adf name>'
ServicePath: '$(System.ArtifactsDirectory)/adf/linkedService'
PipelinePath: '$(System.ArtifactsDirectory)/adf/pipeline'
TriggerPath: '$(System.ArtifactsDirectory)/adf/trigger'
Sorting: 'ascending'
However, everything deploys successfully except for one trigger, for which I get the below error:
##[error]Error deploying 'Storage_Account_Trigger' trigger : The client '"client id"' with object id '"object id"' has permission to perform action 'Microsoft.DataFactory/factories/triggers/write' on scope '/subscriptions/"subscription id"/resourceGroups/"rg name"/providers/Microsoft.DataFactory/factories/"adf name"/triggers/Storage_Account_Trigger'; however, it does not have permission to perform action(s) 'Microsoft.EventGrid/EventSubscriptions/Write' on the linked scope(s) '/subscriptions/"subscription id"/resourceGroups/"rg name"/providers/Microsoft.Storage/storageAccounts/"storage account name"' (respectively) or the linked scope(s) are invalid.
The trigger is designed to run a specific pipeline whenever a new CSV file is created at a specific file path in the storage account. The code for the trigger is:
{
"name": "Storage_Account_Trigger",
"properties": {
"annotations": [],
"runtimeState": "Started",
"pipelines": [
{
"pipelineReference": {
"referenceName": "PL_Ingest",
"type": "PipelineReference"
}
}
],
"type": "BlobEventsTrigger",
"typeProperties": {
"blobPathBeginsWith": "<file path>",
"blobPathEndsWith": ".csv",
"ignoreEmptyBlobs": true,
"scope": "/subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.Storage/storageAccounts/<storage account name>",
"events": [
"Microsoft.Storage.BlobCreated"
]
}
}
}
From my (limited) understanding, it looks like the trigger requires write permissions in order to work and the storage account policy doesn't allow it. I cannot change this policy nor do I understand the need to as I'm not looking to write anything to the storage account with the trigger. I just want to read and determine if there are any new CSV files.
Any help for how to get around this error or remove the need for write permissions would be appreciated!
Thanks!
it does not have permission to perform action(s) 'Microsoft.EventGrid/EventSubscriptions/Write' on the linked scope(s) '/subscriptions/"subscription id"/resourceGroups/"rg name"/providers/Microsoft.Storage/storageAccounts/"storage account name"'
From the error message, it seems that the Service Principal has no permission to create the Storage event trigger.
Refer to this doc: Create a trigger that runs a pipeline in response to a storage event
Any of following RBAC settings works for storage event trigger:
1.Owner role to the storage account
2.Contributor role to the storage account
3.Microsoft.EventGrid/EventSubscriptions/Write permission to storage account /subscriptions/####/resourceGroups/####/providers/Microsoft.Storage/storageAccounts/storageAccountName
Since you don't want to set the write permission to the Storage account, you can consider granting the EventGrid EventSubscription Contributor and EventGrid Contributor role to the Service Principal(Azure DevOps Service Connection used) in the Resource Group(where is the resource located) -> Access Control