question

JonathanShare-8535 avatar image
1 Vote"
JonathanShare-8535 asked olufemiaMSFT edited

What are the minimum permissions required to create a budget?

I'm trying to create a minimal CustomRole for running terraform on my hobby project. One of the first things I'm trying to automate is the creation of a Budget so that I can be sure I get alerted before spending too much money.

The terraform provider uses the following API https://docs.microsoft.com/en-us/rest/api/consumption/budgets/createorupdate

My role definition currently looks like the following

 {
    "assignableScopes": [
       "/subscriptions/<redacted>"
    ],
    "description": "Perform only the actions necesary for running Terraform from GitLab CI",
    "id": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
    "name": "<redacted>",
    "permissions": [
       {
          "actions": [
             "Microsoft.Consumption/budgets/read",
             "Microsoft.Consumption/budgets/write",
             "Microsoft.Resources/subscriptions/resourceGroups/read",
             "Microsoft.Resources/subscriptions/resourceGroups/write",
             "Microsoft.Web/serverfarms/Read",
             "Microsoft.Web/serverfarms/Write",
             "microsoft.insights/actionGroups/read",
             "microsoft.insights/actionGroups/write",
             "microsoft.web/register/action"
          ],
          "dataActions": [ ],
          "notActions": [ ],
          "notDataActions": [ ]
       }
    ],
    "roleName": "my-ci-role",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
 }

However terraform is still failing with the following error message

 Service returned an error. Status=401 Code="401" Message="Unauthorized. Request ID: 9e51f598-886e-4d66-a037-b82660a72862"

Some services give information on which permission is missing, unfortunately this one doesn't and I have no idea where to find this information.

azure-cost-managementazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

olufemiaMSFT avatar image
0 Votes"
olufemiaMSFT answered olufemiaMSFT edited

Hello @JonathanShare-8535 , Thanks for the post. Per official ACM documentation, adding the built-in role: Cost Management Contributor should resolve this.

98061-cmcontribtor.png

Hope this helps but do let me know if you have any followup questions.

Cheers.



cmcontribtor.png (191.9 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My goal is to give my CI runner absolute minimum permissions possible. Using the Contributor role it will get permission to create, read and delete everything for the Consumption, CostManagement and Support providers. I want to create a custom role that will only allow read and create of consumption budgets, and nothing else, not even deleting a budget.

0 Votes 0 ·

Thanks for the clarification @JonathanShare-8535 . Now I understand why you are going down the "custom role" path. Perhaps you can use the solution above as a workaround for now and in parallel, I will dig into this further with ACM feature owner. Please stay tuned.

Cheers.

0 Votes 0 ·

I just tried using the built in role to get some progress, but this doesn't appear to work either.

Authenticated as the Owner I am able to confirm the role has been added to the principal used by my CI runner

 az role assignment list --subscription $SUBSCRIPTION_ID --query "[*].{roleDefinitionName: roleDefinitionName,principalName:principalName}"
 [
   {
     "principalName": "99f1fe2e-00a8-4021-a93a-7fd3e33f5bad",
     "roleDefinitionName": "Cost Management Contributor"
   },
   {
     "principalName": "99f1fe2e-00a8-4021-a93a-7fd3e33f5bad",
     "roleDefinitionName": "modernised-form-ci-role"
   }
 ]

If I then configure cli to act with the same principal

 az account show --query user.name
 "99f1fe2e-00a8-4021-a93a-7fd3e33f5bad"

0 Votes 0 ·

When I attempt to create the using the rest command and the json payload created by terraform it fails

 az rest --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Consumption/budgets/total-budget?api-version=2019-10-01" --body @request.json --method PUT
 Unauthorized({"error":{"code":"401","message":"Unauthorized. Request ID: c887b67a-0e03-4242-afc3-28b7aa148afb"}})

If I re-authenticate with my main account, the command above completes successfully.

0 Votes 0 ·

Thanks for the update @JonathanShare-8535 , it is possilbe you needed to re-auth because your existing token had expired.
Sounds like this works only with your Main account works but fails when running under the built in contributor role and/or the terraform context.

This new information has been shared internally with the API owners. I will let share an update as soon as possible. Also looking into why built-in role doesnt work as expected.

stay tuned.

0 Votes 0 ·