@김중원 - Thanks for the question and using MS Q&A platform.
The error you're facing is due to missing permissions for reading metrics from Azure Monitor (via microsoft.insights/metrics/read
). To retrieve metrics like CPU usage from a Virtual Machine, you need to ensure that the appropriate Azure Monitor permissions are granted to the service principal or user trying to access these metrics.
Follow the below steps to resolve the issue.
Step1: Ensure 'Monitoring Contributor' Role rather than 'Monitoring Reader':
From the image, it looks like you have several roles assigned. The Monitoring Contributor
role should have permissions to read monitoring data. However, make sure this role is assigned at the correct scope (either directly on the VM or at the resource group or subscription level).
Note: You may want to try assigning the Monitoring Contributor
role, which has broader permissions, including updating monitoring settings. This role might give you the additional permissions needed in case of any discrepancies in the Monitoring Reader
permissions.
Azure role-based access control (Azure RBAC) provides built-in roles for monitoring that you can assign to users, groups, service principals, and managed identities. The most common roles are Monitoring Reader and Monitoring Contributor for read and write permissions, respectively.
For more detailed information on the monitoring roles, see RBAC Monitoring Roles.
Step2: Confirm Role Propagation:
Sometimes, role assignments may take a few minutes to propagate. After assigning the role, wait a few minutes, and then refresh your token.
Note: Make sure to wait up to 10 minutes for changes to take effect after assigning or removing roles.
Step3: Validate the Scope in Your API Call:
Double-check that the scope in your API call matches the scope where the role was assigned. The scope in the error message seems to reference the path for the Virtual Machine and the Azure Monitor provider (microsoft.insights
), which should match the API's path.
Step4:Use the Correct API Version:
Make sure the api-version
in your request is compatible with your setup. For some metric APIs, you might need a more recent version than 2018-01-01
.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmname}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU×pan=2018-06-05T03:00:00Z/2018-06-07T03:00:00Z
Step5:Re-Obtain the Access Token:
If you recently assigned the role, try re-fetching the access token after ensuring the permissions are correctly in place.
For more details, refer to Roles, permissions, and security in Azure Monitor and Azure built-in roles for Monitor.
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.