This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 6%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I'm trying to create a minimal CustomRole for running terraform on my hobby project. One of the first things I'm trying to automate is the creation of a Budget so that I can be sure I get alerted before spending too much money.
The terraform provider uses the following API https://learn.microsoft.com/en-us/rest/api/consumption/budgets/createorupdate
My role definition currently looks like the following
{
"assignableScopes": [
"/subscriptions/<redacted>"
],
"description": "Perform only the actions necesary for running Terraform from GitLab CI",
"id": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
"name": "<redacted>",
"permissions": [
{
"actions": [
"Microsoft.Consumption/budgets/read",
"Microsoft.Consumption/budgets/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/Write",
"microsoft.insights/actionGroups/read",
"microsoft.insights/actionGroups/write",
"microsoft.web/register/action"
],
"dataActions": [ ],
"notActions": [ ],
"notDataActions": [ ]
}
],
"roleName": "my-ci-role",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
However terraform is still failing with the following error message
Service returned an error. Status=401 Code="401" Message="Unauthorized. Request ID: 9e51f598-886e-4d66-a037-b82660a72862"
Some services give information on which permission is missing, unfortunately this one doesn't and I have no idea where to find this information.
Hello @Jonathan Share , Thanks for the post. Per official ACM documentation, adding the built-in role: Cost Management Contributor should resolve this.
Hope this helps but do let me know if you have any followup questions.
Cheers.
My goal is to give my CI runner absolute minimum permissions possible. Using the Contributor role it will get permission to create, read and delete everything for the Consumption, CostManagement and Support providers. I want to create a custom role that will only allow read and create of consumption budgets, and nothing else, not even deleting a budget.
Thanks for the clarification @Jonathan Share . Now I understand why you are going down the "custom role" path. Perhaps you can use the solution above as a workaround for now and in parallel, I will dig into this further with ACM feature owner. Please stay tuned.
Cheers.
I just tried using the built in role to get some progress, but this doesn't appear to work either.
Authenticated as the Owner I am able to confirm the role has been added to the principal used by my CI runner
az role assignment list --subscription $SUBSCRIPTION_ID --query "[*].{roleDefinitionName: roleDefinitionName,principalName:principalName}"
[
{
"principalName": "99f1fe2e-00a8-4021-a93a-7fd3e33f5bad",
"roleDefinitionName": "Cost Management Contributor"
},
{
"principalName": "99f1fe2e-00a8-4021-a93a-7fd3e33f5bad",
"roleDefinitionName": "modernised-form-ci-role"
}
]
If I then configure cli to act with the same principal
az account show --query user.name
"99f1fe2e-00a8-4021-a93a-7fd3e33f5bad"
When I attempt to create the using the rest command and the json payload created by terraform it fails
az rest --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Consumption/budgets/total-budget?api-version=2019-10-01" --body @request.json --method PUT
Unauthorized({"error":{"code":"401","message":"Unauthorized. Request ID: c887b67a-0e03-4242-afc3-28b7aa148afb"}})
If I re-authenticate with my main account, the command above completes successfully.
Thanks for the update @Jonathan Share , it is possilbe you needed to re-auth because your existing token had expired.
Sounds like this works only with your Main account works but fails when running under the built in contributor role and/or the terraform context.
This new information has been shared internally with the API owners. I will let share an update as soon as possible. Also looking into why built-in role doesnt work as expected.
stay tuned.