I have an Azure Managed Identity service, I wish to grant it permissions to use the sys.dm_exec_input_buffer function in Azure SQL Database.
According to this documentation, I must grant VIEW SERVER PERFORMANCE STATE permissions.
According to this documentation, this permission is part of the ##MS_ServerStateReader## role.
As specified in the documentation, I have done the following:
--in the master database:
--create the login and add to the correct role:
CREATE LOGIN my_managed_identity_service FROM EXTERNAL PROVIDER --fetch the Managed Identity from the AAD
ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER my_managed_identity_service
--in the sql database:
--create the user (from login) and assign various permissions:
CREATE USER my_managed_identity_service FOR LOGIN my_managed_identity_service
GRANT CONTROL TO my_managed_identity_service
GRANT VIEW DATABASE PERFORMANCE STATE TO my_managed_identity_service
GRANT VIEW DATABASE STATE to my_managed_identity_service
--everything up to this point works
According to the documentation, I should be able to validate my roles in the master database in two ways: using the sys.server_role_members view or by using the IS_SRVROLEMEMBER function.
However, when I try it, I get inconsistent results.
--using the sys views
SELECT
member.principal_id AS MemberPrincipalID
, member.name AS MemberPrincipalName
, roles.principal_id AS RolePrincipalID
, roles.name AS RolePrincipalName
FROM sys.server_role_members AS server_role_members
INNER JOIN sys.server_principals AS roles
ON server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals AS member
ON server_role_members.member_principal_id = member.principal_id
LEFT OUTER JOIN sys.sql_logins AS sql_logins
ON server_role_members.member_principal_id = sql_logins.principal_id
WHERE member.principal_id NOT IN (-- prevent SQL Logins from interfering with resultset
SELECT principal_id FROM sys.sql_logins AS sql_logins
WHERE member.principal_id = sql_logins.principal_id)
--i see my_managed_identity_service as belonging to the ##MS_ServerStateReader## role.
-------------------------------------------------------------------
--using the function:
SELECT IS_SRVROLEMEMBER('##MS_ServerStateReader##','my_managed_identity_service')
--returns 0
Screenshot:
It seems that the two ways of validating the same information are in conflict.
In any case, the service still does not have the required permissions. Screenshot:
The error is: Msg 262, Level 14, State 1, Line 4 VIEW DATABASE PERFORMANCE STATE permission denied in database 'master'. Msg 297, Level 16, State 1, Line 4 The user does not have permission to perform this action.
I am not sure where to go from here.