Skip to main content

Hello

I’m trying to connect centreon to Azure do begin monitoring various elements, but I’m starting with Azure recovery

I tried to follow Superviser Microsoft Azure avec Centreon but whatever I do, I get an error whatever Azure plugin I try (I only tried cloud::azure::management::recovery::plugin and .cloud::azure::compute::virtualmachine::plugin)

I’ll focus on cloud::azure::management::recovery::plugin, this uses the Azure Service Management API, I created the Active directory APP, created a secret like the article was saying

 

but nowhere in the article or the doc could I find the “API Rights” to grant to App. I of course tried to add the corresponding api right to the App, and granted the admin consent, also added a few other rights as I’ll use this to also monitor some o365 service and that part was documented somewhere

 

I’ve tried other right also, nothing worked whatever I do I get the same error 

I tried with the plugin pack or with the latest git pull from the repo:

./centreon_plugins.pl --plugin=cloud::azure::management::recovery::plugin --mode=backup-items-status --custommode='api' --vault-name='vault-abc' --resource-group='ABC' --subscription='f---1' --tenant='xxx' --client-id='yyy' --client-secret='zzz'

UNKNOWN: Management endpoint API returns error code 'AuthorizationFailed'

debug output:

Host: management.azure.com
Accept:application/json
Authorization:Bearer snip

=> Recv header: HTTP/1.1 403 Forbidden
=> Recv header: Cache-Control: no-cache
=> Recv header: Pragma: no-cache
=> Recv header: Content-Type: application/json; charset=utf-8
=> Recv header: Expires: -1
=> Recv header: x-ms-failure-cause: gateway
=> Recv header: x-ms-request-id: 0--b3f1
=> Recv header: x-ms-correlation-request-id: 0--f1
=> Recv header: x-ms-routing-request-id: FRANCECENTRAL:20220608T165516Z:0--b3f1
=> Recv header: Strict-Transport-Security: max-age=31536000; includeSubDomains
=> Recv header: X-Content-Type-Options: nosniff
=> Recv header: Date: Wed, 08 Jun 2022 16:55:15 GMT
=> Recv header: Connection: close
=> Recv header: Content-Length: 494
=> Recv header:
=> Recv data: {"error":{"code":"AuthorizationFailed","message":"The client 'xxx' with object id '7-----x' does not have authorization to perform action 'Microsoft.RecoveryServices/vaults/backupProtectedItems/read' over scope '/subscriptions/f---1/resourcegroups/ABC/providers/Microsoft.RecoveryServices/vaults/vault-abc' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

 

I followed every doc I could find but I’m guessing and also tested I get a token following this link https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

if I do a curl 

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=sssss&grant_type=client_credentials' 'https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token'

with the management scope, not the graph one, I get the bearer token

 

when I do the curl to list the vault for example from the api

curl -X GET -H "Authorization: Bearer ey…." 'https://management.azure.com/subscriptions/f---1/resourceGroups/ABC/providers/Microsoft.RecoveryServices/vaults/vault-abc?api-version=2016-06-01'

(as documented here Vaults - Get - REST API (Azure Recovery Services) | Microsoft Docs) I get the same error message that I don't have the authorization)

so i’m probably doing something wrong somewhere. I have coded a few custom office365 script in the past using this kind of api access with an app and a secret (or a certificate  that worked better).

 

I’m guessing it’s something about roles, but I don’t understand that part, the oauth2 doc talks about role-less app, maybe it’s that

 

Do I miss some api rights ?

Do i need to use AZ Cli instead of API 

 

is there a better documentation from centreon somewhere I couldn’t find?

 

thanks in advance, any input appreciated

Hi, 


Prefer giving a try to this documentation: https://docs.centreon.com/pp/integrations/plugin-packs/getting-started/how-to-guides/azure-credential-configuration/

 

Monitoring reader role is required when dealing with Azure Monitor metrics API. 


Cheers,

Ohhh thank you!! I looked on google for hours and this link never appeared

I found my problem, and if was the “role” as I was surmising. It’s this step in the documentation you gave me that I was missing :

  • Search for the Monitoring Reader role, select it and click Next.
  • Select your new application as a member for this role by clicking on + Select members.

note for anyone stuck here :  your registered app doesn’t appear in the azure GUI unless you specifically search for the name in the search box… by default it only display real users, not apps… damn.

 

Now it works

at least it connects, and I will come back once I debugged/tested the features I need, for example the  cloud::azure::management::recovery::plugin only manage backup, not replication/disaster recovery status, but that will be for later, probably I’ll dive in the api and ask for the specific things that I miss on github

but first I will need to try to make a multi tenant app, as I have many tenants to manage and I don’t want to have to manage hundreds of secrets that expires regularly when I have a partner relationship with them and could use a single app with only 1 secret. (if it works i’ll post a how to here I guess, i did something like that with an in house app for o365 reporting some time ago, no role, but api rights, a bit different than the way centreon works I guess)

 

Anyway thanks a lot!

Reply


Terms & ConditionsCookie settings