Monitoring Reader role lacks permissions for queue statistics after upgrade to 6.7.4 #5280
Description
Describe the bug
Symptoms
After upgrading the ServiceControl to version 6.7.4 and following the "minimum permissions approach" as described in https://docs.particular.net/servicepulse/usage-config#connection-setup-azure-service-bus-minimum-permissions, we observe the following error:
Connection test to AzureServiceBus failed:
Service principal 'REDACTED' have no permission to access following resources: '/subscriptions/REDACTED/resourceGroups/Dev'. Please make sure grant 'Monitoring Reader' role permission to the subscription 'REDACTED' for the service principal 'REDACTED'
Status: 403 (Forbidden)
ErrorCode: Forbidden
Who's affected
Azure Service Bus users upgrading ServiceControl to version 6.7.4+
Root cause
The root cause is most likely this commit: 8983a3f
Confirmed workarounds
Granting permissions at the resource group level solves the issue.
Original bug report
Steps to reproduce
Upgrade the SC to version 6.7.4+
Grant minimal permissions according to the documentation
Run the SC
Notice the issue
Relevant log output
Additional Information
Workarounds
Possible solutions
Additional information
It could be the regression comes from
var serviceBusNamespaceResource = await armClient
.GetServiceBusNamespaceResource(resourceId).GetAsync(...)and then the read of
var regionName = serviceBusNamespaceResource.Value.Data.Location.Name;to query then against a regionalized endpoint. This implies the new code requires to GET the service bus namespace resource from the control plane to read the location, which goes against the namespace ARM id which includes /resourceGroups/ so any role setup that formerly worked without needing that GET can now fail.