Why am I getting this error when trying to get the cost of azure subscription. I'm trying to use CURL to make a request using BEARER token and I get this error.
Any idea how I can resolve this?
"message":"The client '1234156-ab0b5797ef12' with object id '123456-4839-a8ce-ab0b5797ef12' does not have authorization to perform action 'Microsoft.Consumption/aggregatedcost/read' over scope '/providers/Microsoft.Management/managementGroups/stack-testing/providers/Microsoft.Consumption' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
The error usually occurs if your service principal doesn't have
required permissions or role to perform the specified action.
I tried to reproduce the same in my environment via Postman and got the same error like below:
GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Consumption/aggregatedcost?api-version=2021-10-01
Response:
To resolve the error, you need to assign the service principal Billing Reader role like below:
Go to Azure Portal -> Management groups -> Your management group -> Access control (IAM) -> Add role assignment
After assigning that role, I am able to get the cost of azure subscription successfully.
You can also assign Cost Management Contributor or Cost Management Reader based on your requirement.
Reference:
Azure built-in roles - Azure RBAC | Microsoft Docs
Related
What I'm doing:
My machine learning developer is trying to manually provision a ML Workspace in Azure.
Error:
{"message":"The client 'name#company.com' with object id 'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.' does not have authorization to perform action 'Microsoft.MachineLearningServices/register/action' over scope '/subscriptions/'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.'' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)"}
What I've tried:
I see two existing discussions on this error from azure here and here. In both cases the users are using a service account with an API, and the gist of the solutions offered are to grant the service account the proper role assignments in access control. In my case, however, the user is trying to create the resource manually via the portal, and the user already has 'owner' role over the resource group. What more could I grant them? How does she refresh her credentials? Any pointers? THANKS!
Definitely looks like a permission issue. spitball ideas, maybe you also have to add the account to the subscription??
edit:
definitely seems like a bug!
https://github.com/MicrosoftDocs/azure-docs/issues/61114#issuecomment-677703149
When calling an API https://learn.microsoft.com/en-us/rest/api/virtualnetwork/publicipaddresses/list to get List IP Addresses through a postman I'm getting the following error :
{"error":{"code":"AuthorizationFailed","message":"The client 'acc04996-6ca3-4a2f-ba94-xxxx' with object id 'acc04996-6ca3-4a2f-ba94-xxxx' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/a530d6ae-6e7f-4c74-89fb-97273a63f8cd/resourceGroups/nag_resource_group/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Please let me know how to grant permission so that I can call all the API's through Postman. Thanks
The error means your client app does not have the permission to do the Microsoft.Network/publicIPAddresses/read action.
To fix the issue, just navigate to the subscription or the resource group nag_resource_group in the portal -> Access control (IAM) -> Add -> Add role assignment -> search for your client app name and add it as a role e.g. Contributor, Virtual Machine Contributor.
If you don't want the built-in roles, you can also create a custom RBAC role, just include the Microsoft.Network/publicIPAddresses/read action in its Actions. If you are not familar with Azure RBAC roles, please refer to this link.
I am trying to call Azure Maps with OAuth access tokens but it is throwing me 403 Forbidden with the message "Permission, capacity, or authentication issues.". I have followed procedure mentioned here: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication
Created App Registration in AD, generated secret
Added API permission to Azure Maps
In Azure Maps > IAM > added the application as Map Data Reader
Got the Access token from https://login.microsoftonline.com//oauth2/token with resource=https://atlas.microsoft.com/
Calling https://atlas.microsoft.com/route/directions/json?api-version=1.0&query=52.50931,13.42936:52.50274,13.43872 with x-ms-client-id and Authorization=Bearer
Same procedure works correctly for my personal free subscription but not in my company's subscription. Don't know how to debug.
For reference on how Azure RBAC works.
Ensure you have no deny assignments possibly enforced from management groups on the particular role.
Make sure the role assignment is applied to the correct scope. Meaning on the scope of an Azure Maps Account or a parent of the account such as the resource group or subscription.
If you have security principals assigned to the correct scope but still receiving 403. It usually means you have assigned or authenticating with the wrong security principal.
Example:
"App only" token for an App Registration requires the service principal App to be assigned at the scope.
If you as user authenticate as a user to the App Registration that would mean the user security principal should be assigned to the scope; Not the app.
If you are using Azure AD groups it could mean that the security principal may not be part of the group which is assigned access.
I don't think it's common to add service principals to security groups though. But it is a possibility which should be confirmed. There is also a possibility of delay before the permissions are propagated but this usually shouldn't take more than a few minutes.
Just to be thorough but may not apply here. Certain REST APIs require S1 sku to be selected on the account. This will result in the same error response.
We raised the ticket with Microsoft and they told us it was caused by:
longer synchronization times regarding the RBAC configurations
worldwide
I keep getting the below error when I try and save and train my Azure monitor which will act as a data source for my dashboard in Grafana.
Azure Monitor: Forbidden: AuthorizationFailed. The client '----------' with object id '----------' does not have authorization
to perform action
'Microsoft.Resources/subscriptions/resourceGroups/read' over scope
'/subscriptions/--------'.
I have entered my subscription ID, Tenant ID, and Client ID, as well as my Client secret. But for some reason keep getting this error.
Any help with this would be much appreciated!
The error means your service principal(AD App) does not have the permission Microsoft.Resources/subscriptions/resourceGroups/read to the scope.
To fix the issue, navigate to the subscription or the specific scope in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner/Reader) -> Save.
Or if you don't what to add your service principal as a bulit-in role, you can create a custom role with the permissions you need, then add the service principal as a custom role in the resource(scope).
For more details, you could refer to this link. Lean more about azure role-based access control (RBAC), see here.
I am trying to implement KeyVault managed Storage Account in Azure to rotate storage keys using KeyVault. I did follow the documentation, which uses both "ServicePrincipalID" and "UserPrincipalID", but in my case i am provisioning my resources and implementing all the steps involved using my service principal (as we deploy using VSTS with service principal) and using "ServicePrincipalID" as ObjectID in place of "UserPrincipalID" (as there is no user intervention during provisioning and post-provisioning process). I did give my service principal "Owner" role and all required permissions for keyvault to access storage. But when i do "Add-AzureKeyVaultManagedStorageAccount" i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner. Please find my screenshots below for more details. Would be glad to hear any suggestions to cross this hurdle.
Error
KeyVault details
Thanks
Chaitanya Alladi.
i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner.
Unfortunly, we can't do that with service principle now.
AAD doesn't support get OBO(OnBehalfOf) token for service principle caller tokens.
We need to use the user credentials instead of Service Principal credentials. There are some operations that are only possible on behalf of the user and not Service Principal when it comes to storage account keys as of now.