How can I get metrics like CPU Percentage of my Virtual Machine using Azure REST API?

김중원 20 Reputation points
2024-11-08T01:42:32.71+00:00

Hello!

In the backend I am currently developing, I need to use Azure's REST API to retrieve performance metrics (such as CPU usage) for an Azure Virtual Machine I am using.

However, I am encountering a permissions issue related to the token, so I am posting this question.

Here are the steps I have taken:

  1. Called the https://login.microsoftonline.com/${tenantID}/oauth2/token API to obtain an Access Token (set the resource sent to this API as "management.azure.com").
  2. Set the Access Token obtained in step 1 in the header as Authorization: Bearer ${Access Token}.
  3. Called the following API: https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines/${vmname}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU&timespan=2018-06-05T03:00:00Z/2018-06-07T03:00:00Z

I proceeded in the above order, but I keep getting an error related to the token's permissions:

The client '7******c5-****-48**-b**1-***e5e***9cc' with object id '7******c5-****-48**-b**1-***e5e***9cc' does not have authorization to perform action 'microsoft.insights/metrics/read' over scope '/subscriptions/3a1425d3-******-****-ebf0*******/resourceGroups/TestResource/providers/Microsoft.Compute/virtualMachines/test-virtual-machine/providers/microsoft.insights' or the scope is invalid. If access was recently granted, please refresh your credentials

To resolve this error, I tried assigning roles, but the same issue persists.

I tried to add a role one by one by reading other questions and posts to resolve this, but the same error still returns.

User's image

Could you let me know what I should try more to resolve it? Thank you for reading my question!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,380 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,134 questions
0 comments No comments
{count} votes

Accepted answer
  1. SadiqhAhmed-MSFT 47,656 Reputation points Microsoft Employee
    2024-11-26T14:02:49.6+00:00

    Summarizing from the discussion (above). @김중원, Thanks for sharing the info/solution with the community.

    Issue: Get Azure Virtual Machine metrics (CPU percentage) using Azure REST APIs.

    Error: Encountered permission issue while calling the required APIs.
    The client '7******c5-****-48**-b**1-***e5e***9cc' with object id '7******c5-****-48**-b**1-***e5e***9cc' does not have authorization to perform action 'microsoft.insights/metrics/read' over scope '/subscriptions/3a1425d3-******-****-ebf0*******/resourceGroups/TestResource/providers/Microsoft.Compute/virtualMachines/test-virtual-machine/providers/microsoft.insights' or the scope is invalid.

    Solution: Solved this issue by changing a token REST API url.

    • prev: https://login.microsoftonline.com/${tenantID}/oauth2/token
    • new: https://login.microsoftonline.com/${tenantID}/oauth2/v2.0/token

    With the new API URL, it started working.

    Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer. They can only accept answers by others, I' have summarized and posted the solution/answer to benefit the community users to find the answers quickly.


    If the response helped, do "Accept Answer" and up-vote it

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA 90,446 Reputation points
    2024-11-08T03:11:50.9666667+00:00

    @김중원 - Thanks for the question and using MS Q&A platform.

    The error you're facing is due to missing permissions for reading metrics from Azure Monitor (via microsoft.insights/metrics/read). To retrieve metrics like CPU usage from a Virtual Machine, you need to ensure that the appropriate Azure Monitor permissions are granted to the service principal or user trying to access these metrics.

    Follow the below steps to resolve the issue.

    Step1: Ensure 'Monitoring Contributor' Role rather than 'Monitoring Reader':

    From the image, it looks like you have several roles assigned. The Monitoring Contributor role should have permissions to read monitoring data. However, make sure this role is assigned at the correct scope (either directly on the VM or at the resource group or subscription level).

    Note: You may want to try assigning the Monitoring Contributor role, which has broader permissions, including updating monitoring settings. This role might give you the additional permissions needed in case of any discrepancies in the Monitoring Reader permissions.

    User's image

    Azure role-based access control (Azure RBAC) provides built-in roles for monitoring that you can assign to users, groups, service principals, and managed identities. The most common roles are Monitoring Reader and Monitoring Contributor for read and write permissions, respectively.

    For more detailed information on the monitoring roles, see RBAC Monitoring Roles.

    Step2: Confirm Role Propagation:

    Sometimes, role assignments may take a few minutes to propagate. After assigning the role, wait a few minutes, and then refresh your token.

    Note: Make sure to wait up to 10 minutes for changes to take effect after assigning or removing roles. 

    Step3: Validate the Scope in Your API Call: Double-check that the scope in your API call matches the scope where the role was assigned. The scope in the error message seems to reference the path for the Virtual Machine and the Azure Monitor provider (microsoft.insights), which should match the API's path.

    Step4:Use the Correct API Version: Make sure the api-version in your request is compatible with your setup. For some metric APIs, you might need a more recent version than 2018-01-01.

    GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmname}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU&timespan=2018-06-05T03:00:00Z/2018-06-07T03:00:00Z
    
    

    Step5:Re-Obtain the Access Token: If you recently assigned the role, try re-fetching the access token after ensuring the permissions are correctly in place.

    For more details, refer to Roles, permissions, and security in Azure Monitor and Azure built-in roles for Monitor.

    Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.