Add Synapse Administrator role assgiment for manged identitiy - 403 authorization error

Adrian Flejszer 20 Reputation points
2024-12-17T21:02:34.68+00:00

Hey, I am implementing logic that assigns roles in Azure Synapse Workspace. I have the following setup:

  • Marketplace app that deploys resources to customer subscriptions (it has denied assignments)
    • creates Azure Synapse Workspace
    • creates managed Identity
    • assigns managed identity Owner role in Azure Synapse Workspace
    • Creates container app that will be hosting C# code that will update role assignments in synapse workspace
    • adds manged identity to all resources so they can communicate with each other

After the marketplace app is installed I push the image of my C# app to the ACR and mount it in the Azure Container App.

The app has endpoint that calls service which updates role assignments in Azure Synapse Workspace. It has following steps

  1. Call endpoint on Azure Container App which will trigger service logic
  2. Set managed identity as an identity for assigning roles
  3. Call HttpClient or RoleAssgimentClient (Yeah both are failing) to assign the roles

I am getting 403 error every time even Managed Identity is set as the owner of the Synapse Workspace and should be able to assign roles like Synapse Administrator

P.S I tried to use https://management.azure.com/.default and https://dev.azuresynapse.net/ scopes

HTTP Client Code

public TokenCredential GetCredential(string tenantId = default)
{
    if (string.IsNullOrEmpty(tenantId) is false)
    {
        return new DefaultAzureCredential(new DefaultAzureCredentialOptions
        {
            TenantId = tenantId,
        });
    }
    if (string.IsNullOrEmpty(EnvironmentVariables.ManagedIdentityClientId))
    {
        return new DefaultAzureCredential();
    }
    var credential = new DefaultAzureCredential(
        new DefaultAzureCredentialOptions
        {
            ManagedIdentityClientId = EnvironmentVariables.ManagedIdentityClientId,
            TenantId = EnvironmentVariables.TenantId,
        });
    return credential;
}

private async Task<string> GetAccessTokenAsync(CancellationToken cancellationToken)
{
    var credential = credentialProvider.GetCredential();
    var tokenRequestContext = new TokenRequestContext(
        scopes: new[] { "https://management.azure.com/.default" }
    );
    var tokenRequest = await credential.GetTokenAsync(tokenRequestContext, cancellationToken);
    logger.LogInformation(tokenRequest.Token);
    return tokenRequest.Token;
}

httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
string roleId = "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78"; //Azure Synapse Administrator
var requestBody = new
{
    roleId,
    principalId = EnvironmentVariables.ManagedIdentityObjectPrincipalId,
    scope = $"workspaces/{EnvironmentVariables.SynapseWorkspaceName}",
    principalType = "ServicePrincipal"
};
var guid = Guid.NewGuid();
var jsonBody = JsonConvert.SerializeObject(requestBody);
var content = new StringContent(jsonBody, Encoding.UTF8, "application/json");
var url = $"https://{EnvironmentVariables.SynapseWorkspaceName}.dev.azuresynapse.net/roleAssignments/{guid}?api-version=2020-12-01";
var response = await httpClient.PutAsync(url, content, cancellationToken).ConfigureAwait(false);
if (response.IsSuccessStatusCode)
{
    Console.WriteLine("Role assignment created successfully.");
}

RoleAssignmentsClient code

public TokenCredential GetCredential(string tenantId = default)
{
    if (string.IsNullOrEmpty(tenantId) is false)
    {
        return new DefaultAzureCredential(new DefaultAzureCredentialOptions
        {
            TenantId = tenantId,
        });
    }
    if (string.IsNullOrEmpty(EnvironmentVariables.ManagedIdentityClientId))
    {
        return new DefaultAzureCredential();
    }
    var credential = new DefaultAzureCredential(
        new DefaultAzureCredentialOptions
        {
            ManagedIdentityClientId = EnvironmentVariables.ManagedIdentityClientId,
            TenantId = EnvironmentVariables.TenantId,
        });
    return credential;
}

Guid principalId = new Guid(EnvironmentVariables.ManagedIdentityObjectPrincipalId);
Guid roleId = new Guid("6e4bf58a-b8e1-4cc3-bbf9-d73143322b78"); // Synapse Administrator
string endpointUrl = $"https://{EnvironmentVariables.SynapseWorkspaceName}.dev.azuresynapse.net";
var credential = credentialProvider.GetCredential();
var accessControlClient = new RoleAssignmentsClient(new Uri(endpointUrl), credential);
string roleAssignmentId = Guid.NewGuid().ToString();
string scope = $"workspaces/{EnvironmentVariables.SynapseWorkspaceName}";
var response = await accessControlClient.CreateRoleAssignmentAsync(
    roleId: roleId,
    principalId: principalId,
    scope: scope,
    roleAssignmentId: roleAssignmentId, 
    cancellationToken: cancellationToken);
Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
157 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,123 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vinodh247 27,016 Reputation points MVP
    2024-12-22T02:52:15.4233333+00:00

    Encountering a 403 authorization error when assigning the Synapse Administrator role to a managed identity, despite having Owner permissions on the Synapse Workspace, suggests potential issues with role assignment permissions or API scopes.

    To address this, consider the following steps:

    Verify Role Assignment Permissions: Ensure that the managed identity has the necessary permissions to assign roles within the Synapse Workspace. While the Owner role typically includes these permissions, certain policies or restrictions might limit this capability.

    Confirm API Scopes: Double-check that the correct API scopes are being used for authentication. The scopes https://management.azure.com/.default and https://dev.azuresynapse.net/.default are commonly used for Azure management and Synapse operations, respectively. Ensure that these scopes are correctly specified in your authentication requests.

    Review Deny Assignments: Since the marketplace app deploys resources with deny assignments, it's crucial to verify that these assignments aren't inadvertently preventing the managed identity from performing role assignments. Review and adjust deny assignments as necessary to allow the required operations.

    Check API Versions and Endpoints: Ensure that the API versions and endpoints used in your HTTP requests are up-to-date and correctly configured. Using outdated or incorrect API versions can lead to authorization errors.

    Audit Logs: Examine Azure Activity Logs and Synapse Workspace logs to identify any failed authorization attempts or related errors. These logs can provide insights into why the 403 error is occurring.

    By systematically reviewing these areas, you can identify and resolve the underlying cause of the authorization error. This is a generic troubleshooting advice, let me know if you have tried all of these already.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.