1

I'm trying to build a (what I thought would be) a simple script in Python to download Microsoft's Azure's rate card using the Billing API. 

token_response = adal.acquire_token_with_client_credentials(
'https://login.microsoftonline.com/' + TENANT_ID,
CLIENT-ID,
CLIENT-KEY)

access_token = token_response.get('accessToken')

endpoint = "https://management.azure.com/subscriptions/[SUBSCRIPTION-ID]/providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview&$filter=OfferDurableId eq 'MS-AZR-0003P' and Currency eq 'GBP' and Locale eq 'en-GB' and RegionInfo eq 'GB'"
headers = {"Authorization": 'Bearer ' + access_token}

out = requests.get(endpoint,headers=headers)

json_output = out.json()
print son_output

The query seems to be executing correctly. Authorisation seems to go ok, and I'm getting a 200 OK message response. But the output is empty: {u'value': []}. I've tried different OfferIDs, different $filter strings and now it's driving me mad...

I wonder if perhaps I haven't delegated suitable permissions, but I've created an Application attached to Active Directory, generated a key, and delegated permissions to Windows Azure Service Management? And if that was the problem, wouldn't I receive an error?

Happy to hear alternative ways of doing the same thing, but Python is all I really know...

ogre
  • 21
  • 3
  • This is weird! I just tried the same endpoint in Google Postman and was able to see the rate card data returned for my Azure Subscription. Can you also try doing it there? – Gaurav Mantri May 24 '16 at 14:16
  • Thanks @GauravMantri, but I'm still getting the [] even on Postman. This makes me think it's something to do with the permissions or AD setup? – ogre May 24 '16 at 14:54
  • I tried with a different access token (acquired for Graph API) and got a 401 error as expected. I'm inclined to think it has something to do with permissions to the logged in user (in this case Service Principal). Can you check if the Service Principal has access to the Azure Subscription? Please see this link: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/. – Gaurav Mantri May 24 '16 at 15:03
  • I've given the Service Principle "owner" access...is that enough? – ogre May 24 '16 at 16:17
  • That should be more than enough. Are you still having same issue even after doing this? – Gaurav Mantri May 24 '16 at 16:33
  • You were right! I hadn't added the user to the subscription! Thank you so much for your support on this @gauravmantri, it's been driving me crazy! – ogre May 24 '16 at 18:20
  • I'm glad to hear that things are working for you now. One thing you should to do is put this Service Principal user in a `Reader` role instead of `Owner` role. A `Reader` role should be enough to read usage and rate card data. I'm just going to add this as an answer just in case someone else stumbles upon this similar issue. – Gaurav Mantri May 24 '16 at 18:26

1 Answers1

2

Please make sure that the user account you're using to interact with the billing and usage API has access to the Azure Subscription. In your case, you're using a Service Principal so please make sure that this user is assigned a role in the Subscription.

To assign a Service Principal a role, you may find this link helpful: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/.

When it comes to assigning role, since this user only needs to read the data, its better to go with Reader role so that inadvertent changes can't be made to your Azure Subscription.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241