Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't connect GCP Pub/Sub Audit Logs Data Connector to MS Sentinel #11453

Open
odishelidzegio opened this issue Nov 19, 2024 · 22 comments
Open

can't connect GCP Pub/Sub Audit Logs Data Connector to MS Sentinel #11453

odishelidzegio opened this issue Nov 19, 2024 · 22 comments
Assignees
@v-rusraut @v-sudkharat
Labels
Connector Connector specialty review needed

Comments

@odishelidzegio
Copy link

odishelidzegio commented Nov 19, 2024
edited
Loading

Bug description
I'm trying to connect GCP Pub/Sub Audit Logs connector to Sentinel, to ingest GCP logs, but after I fill all the required fields it shows this error:
Image

This is how it looks like when I'm filling the fields:
Image

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-gcpauditlogs-api?tab=Overview'
  2. Install it and click manage.
  3. Go to installed solution and choose 'GCP Pub/Sub Audit Logs'
  4. Click 'Add new collector' and fill out all the required fields.
  5. See error:
    Image
@v-sudkharat v-sudkharat added the Connector Connector specialty review needed label Nov 19, 2024
@v-sudkharat
Copy link
Contributor

v-sudkharat commented Nov 19, 2024
edited
Loading

@odishelidzegio, Can you please share the full error message screenshot, and is there any support ticket raised for this issue?

And please confirm the pre-requisite is completed in GCP end, if not kindly please verify it and check again. Thanks!

@odishelidzegio
Copy link
Author

odishelidzegio commented Nov 19, 2024
edited
Loading

Yes, of course, here's the full error message:
Image

Here's Raw error message:

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "Connectivity check failed. ConnectorId: GCPAuditLogsfa206b6c-a4e9-4dff-a82f-ae6ec19a833a, Status code:GCPB40001, Message:An unknown exception resulted in the failure to authenticate: Google.Apis.Requests.RequestError\r\nPermission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist). [403]\r\nErrors [\r\n\tMessage[Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).] Location[ - ] Reason[forbidden] Domain[global]\r\n]\r\n"
}
]
}

From GCP's side it's completed, yes.

Please also note that the permission "[Permission 'iam.serviceAccounts.getAccessToken" is granted to service account

@v-sudkharat
Copy link
Contributor

@odishelidzegio, thanks for sharing it, will check and get back to you.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Based on the error, need to verify the role - iam.serviceAccountTokenCreator is granted to the correct service account.
You can follow the below step / refer the doc to add it and confirm once it gets from GCP end.
DOC - https://cloud.google.com/iam/docs/service-account-permissions

  1. Go to IAM in GCP Portal and search for you service account name -

  2. Click on the Pencil icon and edit it -
    Image

  3. Add another role -
    Image

  4. Search with the role - iam.serviceAccountTokenCreator and click on save -
    Image

Image

  1. The updated role will get displayed in service account name -
    Image

Once it gets updated, reconnect the Data connector and let us know if it still has the issue.

Thanks!

@odishelidzegio
Copy link
Author

Okay, let me check and test it again

@odishelidzegio
Copy link
Author

Hello!
I checked, and the permission was not granted. I granted the permission but still the same error:
Image

Permissions granted:

Image

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Will check with concern team for this case.

@odishelidzegio
Copy link
Author

@v-sudkharat Okay, thanks!

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Meantime, want to know did you get same error after deployment in different workspace? can you check and let us know it by configure it in different workspace. Thanks!

@odishelidzegio
Copy link
Author

I think I have not, I'll try it.

@ulviahmadly99
Copy link

@odishelidzegio , hi mate , did you have any solution for this . I also stucked at this point and no luck to solve it

@v-sudkharat
Copy link
Contributor

@ulviahmadly99 / @ulviahmadly99 , Could you please follow the steps mentioned in below Doc -https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs

And please note that once the configuration has been completed in GCP end, please wait for few minutes before setting it up in Sentinel connector.

Thanks!

@odishelidzegio
Copy link
Author

@v-sudkharat any updates?

By the way, I tried it in another workspace and got this error:

Failed to parse input. Error='DataCollectionEndpoint should be in the following format: https://{Data Collection Endpoint name}-{id}-{Region}.ingest.monitor.azure.com (Parameter 'dataCollectionEndpoint')'

@ulviahmadly99 Not yet

@odishelidzegio
Copy link
Author

@v-sudkharat after many tries, I'm still getting the same error:
Image

I tried to delete everything and recreate it on GCP side but no results.

@odishelidzegio
Copy link
Author

@v-sudkharat I think I have a problem with this step: https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs#grant-the-identity-pool-access-to-the-service-account

Specifically here: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#authenticate

I don't understand how to do it. Tried to do the same as in the documentation, but I think I'm not making something correctly here.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, no worries, We can have a call to check on this issue. So please can you send the mail id and slots with us - v-sudkharat@microsoft.com

And if you also try this, as it looks your project might be not having the admin access to provide the required access to the services, so you can run below command in terminal before running the terraform scripts-

 gcloud projects add-iam-policy-binding ProjectName \
  --member="user:MailID" \
  --role="roles/iam.roleAdmin"

Replace MailID as your mail Id - EX - abcd@gamil.com

Replace ProjectName with your ProjectName

Once this get successfully run, you can retry the above-mentioned steps and check for the connector status. And in GCP side the services takes some time to get sync.
So, wait for some time and then configure the connector.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Did you get a chance to check on it? anything for us?

@odishelidzegio
Copy link
Author

@v-sudkharat

Hello, and sorry for the delay. It seems like I missed your previous comment and didn't receive it.

Okay, I'll try granting the project admin access, and if that doesn't work, I'll send you some time slots for a call.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Ok

@odishelidzegio
Copy link
Author

Hello @v-sudkharat

I tried to run the command, and it succeeds, but still got the same error after connecting GCP connector.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, let's have the meet, please share the slots in above mail.

@v-sudkharat
Copy link
Contributor

@odishelidzegio, Received your mail, I will schedule a call with available time slots and share it via mail. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

Labels
Connector Connector specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@odishelidzegio @ulviahmadly99 @v-rusraut @v-sudkharat