Azure - does not have authorization to perform action

Question

Why am I getting this error when trying to get the cost of azure subscription. I'm trying to use CURL to make a request using BEARER token and I get this error.

Any idea how I can resolve this?

"message":"The client '1234156-ab0b5797ef12' with object id '123456-4839-a8ce-ab0b5797ef12' does not have authorization to perform action 'Microsoft.Consumption/aggregatedcost/read' over scope '/providers/Microsoft.Management/managementGroups/stack-testing/providers/Microsoft.Consumption' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Answer 1

The error usually occurs if your service principal doesn't have required permissions or role to perform the specified action.

I tried to reproduce the same in my environment via Postman and got the same error like below:

GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Consumption/aggregatedcost?api-version=2021-10-01

Response:

To resolve the error, you need to assign the service principal Billing Reader role like below:

Go to Azure Portal -> Management groups -> Your management group -> Access control (IAM) -> Add role assignment

After assigning that role, I am able to get the cost of azure subscription successfully.

You can also assign Cost Management Contributor or Cost Management Reader based on your requirement.

Reference: Azure built-in roles - Azure RBAC | Microsoft Docs