Reputation: 3167
Why am I getting this error when trying to get the cost of azure subscription. I'm trying to use CURL to make a request using BEARER token and I get this error.
Any idea how I can resolve this?
"message":"The client '1234156-ab0b5797ef12' with object id '123456-4839-a8ce-ab0b5797ef12' does not have authorization to perform action 'Microsoft.Consumption/aggregatedcost/read' over scope '/providers/Microsoft.Management/managementGroups/stack-testing/providers/Microsoft.Consumption' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Upvotes: 2
Views: 14727
Reputation: 22597
The error usually occurs if your service principal doesn't have
required permissions
or role
to perform the specified action.
I tried to reproduce the same in my environment via Postman and got the same error like below:
GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Consumption/aggregatedcost?api-version=2021-10-01
Response:
To resolve the error, you need to assign the service principal Billing Reader
role like below:
Go to Azure Portal -> Management groups -> Your management group -> Access control (IAM) -> Add role assignment
After assigning that role, I am able to get the cost of azure subscription successfully.
You can also assign Cost Management Contributor
or Cost Management Reader
based on your requirement.
Reference: Azure built-in roles - Azure RBAC | Microsoft Docs
Upvotes: 3