Unable to get resourceUsageId in a VM running in a managed application offer

Anis Elleuch 26 Reputation points
2020-11-27T11:36:12.857+00:00

Hey there!

I have a managed application which deploys some VMs in the customer subscription. I want from those VMs to send custom billing events to the metering API.

I've read this link https://learn.microsoft.com/en-us/azure/marketplace/partner-center-portal/marketplace-metering-service-authentication, and
if I understood correctly, the goal is to find resourceUsageId before emitting usage.

As I followed Using the Azure-managed identities token section of the link above, all steps worked except forth step (the last one).

---------

$ curl -H 'Authorization: Bearer xxxxxxx’ 'https://management.azure.com/subscriptions/xx-xx-xx-xx-xx/resourceGroups/xx-preview-20201124221221/providers/Microsoft.Solutions/applications/subscriptions/xx-xx-xx-xx-xx/resourceGroups/xx/providers/Microsoft.Solutions/applications/xxx?api-version=2019-07-01

{'error':{'code';'ResourceNotFound','message':'The Resource Microsoft.Solutions/applications/subscriptions under resource group 'xx--preview-20201124221221'; was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'}}

---------

By the way, the managed app id (managedBy property) in my case has this format: /subscriptions/xx-xx-xx-xx-xx/resourceGroups/xx/providers/Microsoft.Solutions/applications/xxx

Could I get some guidance on this ?

Cordially,

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
154 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daniel Leteyski 1 Reputation point
    2021-02-18T14:14:44.16+00:00

    Hi,
    I've been there.
    It turned out Microsoft's example code is a bit wrong (may be they have changed something )
    Instead of pulling
    "https://management.azure.com/subscriptions/xxxxxxxxx/resourceGroups/xx-preview-20201124221221/providers/Microsoft.Solutions/applications/xxx\?api-version=2019-07-01"

    you need to query :

    "https://management.azure.com/subscriptions/xxxxxxxxx/resourceGroups/(the resource group in which the Managed App is located. And it differs from where the resources are deployed)/providers/Microsoft.Solutions/applications/xxx\?api-version=2019-07-01"
    It worked for me. Though, you need to set a system managed identity and give read access of the VM to the Managed App.
    If you are trying to deploy a marketplace offer, it gets even worse. The deployment is executed in the seller's tenant context and when your deployment script tries to set the Managed Identity, it can not. Cross tenant Managed identities are not supported.
    So I'm stuck there.

    Here is a script that sets Managed Identity, but it fails because it does not have rights.
    {
    "type": "Microsoft.Resources/deployments",
    "name": "DeployRBACroleToVM",
    "apiVersion": "2020-06-01",
    "resourceGroup": "[parameters('RG_name')]",
    "properties": {
    "mode": "Incremental",
    "template": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    },
    "variables": {},
    "resources": [
    {
    "type": "Microsoft.Solutions/applications/providers/roleAssignments",
    "apiVersion": "2019-04-01-preview",
    "name": "[concat(parameters('ManagedAppName'),'/Microsoft.Authorization/',guid(resourceGroup().id))]",
    "properties": {
    "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "delegatedManagedIdentityResourceId": "[concat(subscription().id, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]",
    "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', parameters('vmName')), '2020-12-01','full').identity.principalId]"
    }
    }
    ]
    },
    "parameters": {}
    }
    }

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.