Azure cost management REST API access management at resource group scope not working

Question

Azure cost management REST API access management at resource group scope not working

Rajesh Nerenki 1

I'm using the Azure cost management API to read monthly spend. Users are allowed to read the costs of the resource groups for which they have been given "Cost Management Reader" access. The cost management usage REST API seems to have a bug. Even though I've restricted access to specific resource groups, when I run the below POST request at subscription scope, it retrieves the costs for all resource groups. What I noticed is when no access is granted to any resource group, REST API returns a 401 response. But when I give access to even one resource group, then it returns costs for all resource groups. The behavior is not the same in azure portal.

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.CostManagement/query?api-version=2019-11-01

{
  "type": "Usage",
  "timeframe": "MonthToDate",
  "dataset": {
    "granularity": "None",
    "aggregation": {
      "totalCost": {
        "name": "PreTaxCost",
        "function": "Sum"
      }
    },
    "grouping": [
      {
        "type": "Dimension",
        "name": "ResourceGroup"
      }
    ]
  }
}

olufemia-MSFT 2,861 Reputation points

2020-08-01T01:58:25.597+00:00
Hello anonymous user , working internally to repro this. will have an update soon.

In the meantime, can you clarify this statement to help inform my repro steps

"Even though I've restricted access to specific resource groups, when I run the below POST request at subscription scope, it retrieves the costs for all resource groups."

How did you restrict access to specific resource groups?

When you run the POST request, are you running under your Identity? What roles are currently assigned to your user identity (e..g Owner role)?

Looking forward to your reply.

Cheers.
Rajesh Nerenki 1 Reputation point

2020-08-03T07:13:39.943+00:00

Thanks for your reply. I'm not running under my identity. I created a test account in Azure and initially did not grant any permission to that account in azure portal. I logged into Azure portal using this account in a private window.

The REST API links have a try it option.
https://learn.microsoft.com/en-us/rest/api/cost-management/query/usage

Initially when I did a POST request I got a 401 response which is valid since no access was given.

Next I granted the test user Cost Management Reader to one specific resource group. You can do this by going to a specific resource group->Access management-> Role assignment. I did a POST request again as a test user in private window at the subscription scope and this time I could see costs for all resource groups in the subscription.
olufemia-MSFT 2,861 Reputation points

2020-08-04T10:25:52.493+00:00

thanks for the repro details. give me some time to investigate a little more. will get back to you.
Rajesh Nerenki 1 Reputation point

2020-08-06T08:06:21.113+00:00

Thanks @olufemia-MSFT . Are you able to reproduce the issue?

2 answers

Your answer

olufemia-MSFT 2,861 Reputation points

2020-08-01T01:58:25.597+00:00

Hello anonymous user , working internally to repro this. will have an update soon.

In the meantime, can you clarify this statement to help inform my repro steps

"Even though I've restricted access to specific resource groups, when I run the below POST request at subscription scope, it retrieves the costs for all resource groups."

How did you restrict access to specific resource groups?

When you run the POST request, are you running under your Identity? What roles are currently assigned to your user identity (e..g Owner role)?

Looking forward to your reply.

Cheers.
Rajesh Nerenki 1 Reputation point

2020-08-03T07:13:39.943+00:00

Thanks for your reply. I'm not running under my identity. I created a test account in Azure and initially did not grant any permission to that account in azure portal. I logged into Azure portal using this account in a private window.

The REST API links have a try it option.
https://learn.microsoft.com/en-us/rest/api/cost-management/query/usage

Initially when I did a POST request I got a 401 response which is valid since no access was given.

Next I granted the test user Cost Management Reader to one specific resource group. You can do this by going to a specific resource group->Access management-> Role assignment. I did a POST request again as a test user in private window at the subscription scope and this time I could see costs for all resource groups in the subscription.
olufemia-MSFT 2,861 Reputation points

2020-08-04T10:25:52.493+00:00

thanks for the repro details. give me some time to investigate a little more. will get back to you.
Rajesh Nerenki 1 Reputation point

2020-08-06T08:06:21.113+00:00

Thanks @olufemia-MSFT . Are you able to reproduce the issue?

Answer 1

olufemia-MSFT 2,861

Hi anonymous user , apologies for the delay. Thanks to your update, we were able to reproduce this issue and identified the root-cause bug. The feature owner acknowledged that a fix is being planned and we will update this post as soon as the fix is deployed. Thanks again for not only catching this but alerting us to the issue.

Cheers.

Rajesh Nerenki 1 Reputation point

2020-08-10T12:07:53.583+00:00

Many thanks @olufemia-MSFT . Please keep me posted
Rajesh Nerenki 1 Reputation point

2020-08-25T20:26:49.89+00:00

Hi @olufemia-MSFT ,

Has there been a fix released recently? I see a different behaviour now. When I login as a user who has cost management reader to say one resource group and I query at the subscription scope, I'm getting 401 error. I don't think that is the expectation when we query at subscription scope. I would expect to see usage cost for the resource groups that the user has access to.

If I change the scope to resource group and pass a specific resource group that the user has access to, then the API works. But this is not useful since we wouldn't know which resource group which user has access to and there are hundreds of users.
Rajesh Nerenki 1 Reputation point

2020-09-02T11:08:44.197+00:00

Hi @olufemia-MSFT Are you able to update if there has been a fix released recently? Pls see my above comment. Thanks

Answer 2

Rajesh Nerenki 1

Hi @olufemia-MSFT , It has been a while now still no update. It appears the fix has introduced a bug rather than resolving it.

Share via

Azure cost management REST API access management at resource group scope not working

2 answers

Your answer