What permissions need to be done to get resource data using Rest API?

Ashish Sharma 6 Reputation points
2020-11-06T14:02:07.027+00:00

We are getting the below authorization failed message while trying to access the resource list using REST API.

URL: https://management.azure.com/subscriptions/xxxxx-xxxx-xxxxxx-xxxxx/resources?api-version=2020-06-01&$filter=resourceType eq 'Microsoft.Compute/virtualMachines'

Response:

{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'XXXXXXXXXX' with object id 'XXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resources/read' over scope '/subscriptions/XXXXXXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}

Would you please suggest if there is any additional permission need to be granted? Currently this account has the owner role.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,778 questions
{count} vote

1 answer

Sort by: Most helpful
  1. prmanhas-MSFT 17,891 Reputation points Microsoft Employee
    2020-11-09T07:22:02.093+00:00

    @Ashish Sharma Firstly, apologies for the delay in responding on this and any inconvenience this issue may have caused.

    This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.

    To provision any resources in azure (using the resource manager model) you need to have a resource provider that supports the creation of that resource. For example, if you will provision a virtual machine, you need to have a ‘Microsoft.Compute’ resource provider available in the subscription first before you can do that.

    Resource providers are registered on the level of the subscription only.

    Luckily, the Azure Resource Manager (ARM) is intelligent enough to figure that out for you. When a new Azure resource gets provisioned, if the resource provider required for that resource type is not registered in the subscription yet, ARM will attempt to register it for you. That action (resource provider registration) requires access to the subscription level.

    By default, any new azure subscription will be pre-registered with a list of commonly used resource providers.

    When a user is granted owner rights only on a specific resource group, if that user tries to provision a resource that requires registering a resource provider for the first time, that operation will fail.

    So when you say user has owner role is it over a Subscription or is it over a resource group or resource?

    If it is over a Subscription then it will be inherited to child resource groups and resource and it ideally should work. But if it is over a Resource Group or resource you can try to check if user is owner in groups or resource where you have deployed virtual machines.

    You can check it as below:

    For Subscription: Go to Azure Portal>Subscription>IAM>Role assignments:

    38130-image.png

    For Resource Group : Go to Azure Portal>Resource Group>IAM>Role assignments:

    38246-image.png

    For Resources :Go to Azure Portal> All Resources >IAM>Role assignments:

    38266-image.png

    Also you can check if you are selecting the right Subscription or not.

    The error is more around permission side of it and should be most probably because of one of the above reasons.

    Hope it helps :) !!!

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.