Azure Billing API returning 403

Question

I have spent several days trying to figure this out, looking at all the info I could find on the Azure website, the Azure git hubs, and all the relevant stack overflow posts. I hope I am missing something simple.

I am using the example java code being posted around the web to obtain a token:

try {
        exec = Executors.newFixedThreadPool(1);
        context = new AuthenticationContext("https://login.microsoftonline.com/8e4f0713-5eea-4da0-99c0-xxxxxxxxxxxx",
                        true, exec);
        ClientCredential cred = new ClientCredential(webClientID, clientSecret);
        Future<AuthenticationResult> future = context.acquireToken("https://management.azure.com/", cred, null);
        result = future.get();
    } catch(Exception e) {
        logger.warn("Exception " + e);
    } finally {
        exec.shutdown();
    }

    if (result == null) {
        return null;
    }
    return result.getAccessToken();

This generates a token which I place into the request header:

Authorization: Bearer -token-

The GET https://management.azure.com/subscriptions/758ad253-cbf5-4b18-8863-xxxxxxxxxxxx/providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview%26%24filter%3DOfferDurableId+eq+%27MS-AZR-0003p%27+and+Currency+eq+%27USD%27+and+Locale+eq+%27en-US%27+and+RegionInfo+eq+%27US%27

Returns 403 code:

Exception: java.io.IOException: Server returned HTTP response code: 403 for URL: https://management.azure.com/subscriptions/758ad253-cbf5-4b18-8863-xxxxxxxxxxxx/providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview%26%24filter%3DOfferDurableId+eq+%27MS-AZR-0003p%27+and+Currency+eq+%27USD%27+and+Locale+eq+%27en-US%27+and+RegionInfo+eq+%27US%27

Headers: [0] null: HTTP/1.1 403 Forbidden

[1] Cache-Control: no-cache

[2] Pragma: no-cache

[3] Content-Type: application/json; charset=utf-8

[4] Expires: -1

[5] x-ms-failure-cause: gateway

[6] x-ms-request-id: e4ad9253-e034-481d-aba0-f46902b7057f

[7] x-ms-correlation-request-id: e4ad9253-e034-481d-aba0-f46902b7057f

[8] x-ms-routing-request-id: EASTUS:20151103T205103Z:e4ad9253-e034-481d-aba0-f46902b7057f

[9] Strict-Transport-Security: max-age=31536000; includeSubDomains

[10] Date: Tue, 03 Nov 2015 20:51:02 GMT

[11] Connection: close

[12] Content-Length: 303

I did all the setup on the Azure mgmt console, to create the App in Azure AD, get the clientID & client secret, etc. The SSL/HTTPS code is:

           azureURL = new java.net.URL(url);

        con = (HttpsURLConnection)azureURL.openConnection();
        con.disconnect();
        con.setDoOutput(true);
        con.setDoInput(true);
        con.setUseCaches(false);
        con.setSSLSocketFactory(MyUtils.getSSLSocketFactory());
        con.setRequestMethod("GET");
        con.setRequestProperty("x-ms-version", "2015-06-01-preview");
        con.setRequestProperty("Content-Type", "application/json");

        String token = getAccessTokenFromServicePrincipalCredentials();
        if (token != null) {
            con.setRequestProperty("Authorization", "Bearer " + token);
            con.connect();
            in = (InputStream)con.getContent();
            InputStreamReader inr = new InputStreamReader(in);
        } else {
            logger.warn("unable to obtain prices");
        }

Any suggestions on how to debug the problem?

Answer 1

I see that you're getting an access token for the Service Principal (i.e. the application itself). Please make sure that you grant this Service Principal user at least Reader role on your Azure Subscription. I believe you're getting this error because this user doesn't have any access to your Azure Subscription.

Please see this link: https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/ (Manage access using the Azure Management Portal section) on how you can assign role.

Answer 2

As we can’t call Usage & Rate Card APIs via certificate with HTTPS requests. As it is mentioned:

All of the tasks that you do on resources using the Azure Resource Manager must be authenticated with Azure Active Directory

on Authenticating Azure Resource Manager requests.

So you got a 403 issue.

Please try to build common HTTP request for the REST APIs with the request header Content-Type and Authorization which is mentioned on Resource Usage (Preview).

Also you can test to get the info you want in HTTP request build tool, like:

And here is a similar thread How to use Management certificate based authentication for making REST API calls to Azure? for your reference.

Answer 3

For the file not found the reply is:

java.io.FileNotFoundException:

https://management.azure.com/subscriptions/758ad253-cbf5-4b18-8863-3eed082xxxxx/providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview%26%24filter%3DOfferDurableId+eq+%27MS-AZR-0003p%27+and+Currency+eq+%27USD%27+and+Locale+eq+%27en-US%27+and+RegionInfo+eq+%27US%27

HTTP/1.1 404 Not Found

[1] Cache-Control: no-cache

[2] Pragma: no-cache

[3] Content-Type: application/json; charset=utf-8

[4] Expires: -1

[5] x-ms-failure-cause: gateway

[6] x-ms-request-id: 8bd5ea3a-5a5f-4eb5-86b5-bd6581f94e00

[7] x-ms-correlation-request-id: 8bd5ea3a-5a5f-4eb5-86b5-bd6581f94e00

[8] x-ms-routing-request-id: EASTUS:20151119T181954Z:8bd5ea3a-5a5f-4eb5-86b5-bd6581f94e00

[9] Strict-Transport-Security: max-age=31536000; includeSubDomains

[10] Date: Thu, 19 Nov 2015 18:19:53 GMT

[11] Content-Length: 348

Let me see what else I can get...