I am deploying SQL Server via ARM template. While setting Audit settings for this sql server with Storage Account, it is asking for permissions.
As per the link we need the permissions, ONLY when the storage account is behind a Firewall. However, my storage account is open to internet, so the permission pre-requisite should not apply here.
I have used Powershell cmdlet 'Set-AzSqlServerAudit' to set this configuration, and it works. But this fails in the ARM template.
Template snippet:
{ "type": "Microsoft.Sql/servers/auditingSettings", "apiVersion": "2020-08-01-preview", "name": "[concat(parameters('serverName'), '/Default')]", "dependsOn": [ "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" ], "properties": { "isDevopsAuditEnabled": false, "retentionDays": 0, "auditActionsAndGroups": [ "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP", "BATCH_COMPLETED_GROUP" ], "isStorageSecondaryKeyInUse": false, "isAzureMonitorTargetEnabled": false, "state": "Enabled", "storageEndpoint": "[parameters('centralMonitoringStorageAccount')]", "storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]" } }, Error:
New-AzResourceGroupDeployment : 4:37:56 AM - Resource Microsoft.Sql/servers/auditingSettings 'coe-extollo-apis-sqlserver-dev/Default' failed with message '{ "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "BlobAuditingInsufficientStorageAccountPermissions", "message": "Insufficient read or write permissions on storage account 'xtocoeeucommonsdev'. Add permissions to the server Identity to the storage account." } ] } }' 
没有评论:
发表评论