I have a webapi hosted on Azure App Service, it has managed identity on, there is an existing Application Insights that has given a reader permission to that hosted api.
In the AppInsights, a new role assigned and a reader permission granted to the API, now I want the api to read data from AppInsights.
I want to add a C# method as a REST API that reads last 10 traces?
// Use DefaultAzureCredential to authenticate with Managed Identity
var credential = new DefaultAzureCredential();
// Create a LogsQueryClient
var client = new LogsQueryClient(credential);
// Replace this with your Application Insights resource ID
string appInsightsResourceId = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{applicationInsightsName}";
// KQL query to get the last 10 traces
string kqlQuery = "traces | order by timestamp desc | take 10";
// Execute the query
Response<LogsQueryResult> queryResponse = await client.QueryWorkspaceAsync(
appInsightsResourceId,
kqlQuery,
new QueryTimeRange(TimeSpan.FromHours(1))
);
It didn't work, it comes back with invalid token credentials.
I also tried using DefaultAzureCredentials with ManagedClientID value, it still didn't work, I want to get logs/traces data as a http method.
I have a webapi hosted on Azure App Service, it has managed identity on, there is an existing Application Insights that has given a reader permission to that hosted api.
In the AppInsights, a new role assigned and a reader permission granted to the API, now I want the api to read data from AppInsights.
I want to add a C# method as a REST API that reads last 10 traces?
// Use DefaultAzureCredential to authenticate with Managed Identity
var credential = new DefaultAzureCredential();
// Create a LogsQueryClient
var client = new LogsQueryClient(credential);
// Replace this with your Application Insights resource ID
string appInsightsResourceId = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{applicationInsightsName}";
// KQL query to get the last 10 traces
string kqlQuery = "traces | order by timestamp desc | take 10";
// Execute the query
Response<LogsQueryResult> queryResponse = await client.QueryWorkspaceAsync(
appInsightsResourceId,
kqlQuery,
new QueryTimeRange(TimeSpan.FromHours(1))
);
It didn't work, it comes back with invalid token credentials.
I also tried using DefaultAzureCredentials with ManagedClientID value, it still didn't work, I want to get logs/traces data as a http method.
1 Answer
Reset to default 1My test codes
public async Task<LogsQueryResult> GetAsync()
{
try
{
var credential = new DefaultAzureCredential();
var client = new LogsQueryClient(credential);
string workspaceId = "2xxxxxx7-7xx1-xxxx-xxxx-16xxxf7c";
//string kqlQuery = "traces | order by timestamp desc | take 10";
string kqlQuery = "AzureActivity | summarize Count = count() by ResourceGroup | top 10 by Count";
_logger.LogInformation("credential bypass");
var queryResponse = await client.QueryWorkspaceAsync(
workspaceId,
kqlQuery,
new QueryTimeRange(TimeSpan.FromHours(1))
);
_logger.LogInformation("queryResponse success");
return queryResponse;
}
catch (Exception ex) {
_logger.LogError(ex.Message);
return null;
}
}
I get the workspace ID by clicking into the workspace showed in App Insights instance.
And my test result like below. Using your query will get 400 error Failed to resolve table or column expression named 'traces'" which indicating there's no traces table. Then I know QueryWorkspaceAsync might not be designed to query App Insights tables. I follow the official document for QueryWorkspaceAsync and used another query then I got it worked.
This is method is not working for querying Application Insights, I tried codes below and worked:
string resourceId = "/subscriptions/xxx/resourceGroups/xxx/providers/microsoft.insights/components/tinytest0304";
string kqlQuery = "traces | order by timestamp desc | take 10";
Response<LogsQueryResult> queryResponse = await client.QueryResourceAsync(
new ResourceIdentifier(resourceId),
kqlQuery,
new QueryTimeRange(TimeSpan.FromHours(1)));
=========================
I enabled system-assigned managed identity for my Azure web app instance.
Then I go to the application insights instance which I hope to query log from, and add RBAC permission. Screenshoots below shows the permissions I added.
To add these permissions, going to Access Control(IAM) blade -> click the Add button and choose Add role assignment -> choose the role in Roles tab -> choose members in the Members tab(like screeshot below) -> Review + assign. Pls note, it might take several minutes to take effect, we might wait for a while and maybe a restart of the Azure web app to validate the role applyment.
QueryWorkspaceAsyncshould be the workspace Id instead of app Insights resource id, could you pls try to adjjust the parameter? – Tiny Wang Commented Apr 2 at 7:20The provided credentials have insufficient access to perform the requested operation. Your error message indicates that you might visit an unexisted workspace. – Tiny Wang Commented Apr 2 at 8:26string workspaceId = "29xxxx11-4xx2-axx0-16xxxxxxxaf7c";. I tried to use an incorrect workspace id, then I get errorThe requested path does not exist– Tiny Wang Commented Apr 2 at 8:37Reader, Monitoring Contributor, Log Analytics Readerpermissions to both Application Insights instance and workspace instance. But I'm not sure which permission is exactly required.. Roles applyment seems to require several minutes to take effect... – Tiny Wang Commented Apr 2 at 9:19