0

In trying to access RateCard info in the Government Cloud, Region usgovvirgia, and working from example on github: https://github.com/Azure-Samples/billing-dotnet-usage-api.

GitHub Sample throws Unhandled exception: AADSTS65005 (see links below)

This error is mentioned there but in reworking the referenced sections of the procedure I haven't found a way to correct this and strongly suspect the problem is due to differences in US Gov Cloud. (See image below for App settings in the Portal).

My RegisteredApp:
RateCardHM, appId/clientID: XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a -> Required Permissions-> (Delegated -- NoApplicationPermissionsAvailable) Access Azure Service Management as organization users (preview)

RequiresAdmin: No {"AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: XXXXXXXX-XXXX-47a3-811e-ca0b0b74118a. Resource value from request: https://management.usgovcloudapi.net/. Resource app ID: 40a69793-8fe6-4db1-9591-dbc5c57b17d8. List of valid resources from app registration: 797f4846-ba00-4fd7-ba43-dac1f8f63013, 00000002-0000-0000-c000-000000000000. Trace ID: 6c1f3716-12ca-489e-b183-99cb6f730300 Correlation ID: 57dbf637-8e01-42f2-873c-4723f1814254 Timestamp: 2018-03-14 18:43:33Z"}

Since there probably isn't a "2-letter ISO code" for usgovvirginia, what should be used?

https://msdn.microsoft.com/en-us/library/azure/mt219004.aspx Indicates:
•Set {RegionInfo} to the 2 letter ISO code where the offer was purchased. Reconcile with usgovvirginia Region.

<appSettings>
    <add key="ADALServiceURL" value="https://login.microsoftonline.us"/>           
    <add key="ADALRedirectURL" value="http://localhost"/>                          
    <add key="ARMBillingServiceURL" value="https://management.usgovcloudapi.net"/>
    <add key="TenantDomain" value="XXXXX.onmicrosoft.com"/>                        
    <add key="SubscriptionID" value="XXXXXXXX-1293-4060-a2ed-0da3db612bcc"/>       
    <add key="ClientId" value="XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a"/>             
    <add key="RegionInfo" value="usgovvirginia"/> <!-- WHAT to use here? --> 
</appSettings>

I would prefer to get access with PowerShell but getting the C# sample app to work would likely be sufficient and certainly a good start.

My App Configuration

UPDATE FOLLOWS (more info):

After logging in with PowerShell AzureRM (as myself) "Locations" for Microsoft.Commerce and RateCard API are empty:

(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce)
# Outputs with LOCATION 'empty':
ProviderNamespace : Microsoft.Commerce
RegistrationState : Registered
ResourceTypes     : {UsageAggregates, RateCard, operations}
Locations         : {}

(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce).ResourceTypes | ? ResourceTypeName -eq RateCard
# Outputs with LOCATION 'empty' also:
ResourceTypeName : RateCard
Locations        : {}
ApiVersions      : {2016-08-31-preview, 2015-06-01-preview, 2015-05-15}

Possibly this means US Gov Cloud doesn't offer these APIs in any region?

This following image shows the alert where the App has been added as a Reader: enter image description here

enter image description here

HerbM
  • 521
  • 6
  • 14
  • 1
    Check if the service principal of the app has permission in the subscription. This is not from the screenshot. It should be in Access Control (IAM). – EagleDev Mar 15 '18 at 05:31
  • @ThuanNg thanks, but where specifically is this IAM for my App? I have spent a lot of time trying to follow even official docs which call things by names that just aren't used in the current version of the Gov Portal. (I have worked with IAM only a little in Azure as you might guess -- looking now again...) – HerbM Mar 15 '18 at 16:04

2 Answers2

1

First, you need to make sure Billing API is actually supported on Government Subscription. I cannot seem to find an official reference over the Internet about the supportability. It'd be much better to ask about that here https://azure.microsoft.com/en-us/global-infrastructure/government/contact/

If it is supported, normally you need to add your client app you registered to the Government subscription.

enter image description here

Under Access Control (IAM) blade, click Add. Select Reader under Role (in case you just need to get information without any change). Under Select, you can look up your client app name (the one has client ID associated), you can also copy the client ID and paste to this field.

enter image description here

With out appropriate permission, your registered client app can't read to your Government resource to retrieve billing info over REST API.

P/S: There is also a role named Billing Reader if you would like to explicitly control access.

enter image description here

EagleDev
  • 1,754
  • 2
  • 11
  • 31
  • thx My interface differs from yours: after Add Reader GetRateCardHM (my app) I don't get the list of APIs, but just Reader and the App -- So I hit Save and seems to allow Read all (on a long list of things). However nothing under there is Billing or RateCard or ARMBillingService, so checking Management API Management and pretty much everything else it shows every thing with "Read". Wait: Microsoft.Commerce has RateCard and Usage Aggregates, but with READ. On the EnterpriseAppProperties it shows no permissions however. Seems granted in IAM but not on GetRateCardhm App. Trying now. – HerbM Mar 15 '18 at 18:19
  • 1
    **Billing Reader** is an option, you can select Read permission. The required permission in your screenshot has nothing to do with the API call. Grant your client app **Read** permission is good enough. Make sure you add exactly the app (that has client ID you declared in side `` element. – EagleDev Mar 15 '18 at 18:28
  • I have now done the above at least 10 times -- the notification that the permissions were added arrives,and yet when I look on the app it says it has no permissions. Either I am doing it wrong, the UI is broken, or I don't understand it. – HerbM Mar 15 '18 at 21:50
  • 1
    Could you give the screen showing your client app is granted Read under the subscription’s Access Control IAM blade? – EagleDev Mar 15 '18 at 21:54
  • yes, I added this to the original question as an Update (near bottom). My interface is not quite the same as yours so I may not be following your instructions correctly. – HerbM Mar 16 '18 at 17:33
  • 1
    From the original question, there are two client apps (**RateCardHM** and **GetRateCardHM**), make sure you add the right one, and also change the client ID corresponding. While I'm checking to see if Billing is not available with Government subscription. Thank you! – EagleDev Mar 16 '18 at 17:43
  • 1
    @HerbM I cannot seem to find an official reference about Billing API supportability on Government Subscription. If I had a Gov subscription, I would try to look into that for you. Best to ask Microsoft representative for this information. Updated my answer. – EagleDev Mar 16 '18 at 17:54
  • You have really tried to help and I do appreciate that. – HerbM Mar 16 '18 at 19:15
0

Microsoft Support has now attested that accessing the RateCard API is not available in an Enterprise Account (nor in a CSP account).

https://learn.microsoft.com/en-us/azure/billing/billing-usage-rate-card-overview#azure-resource-ratecard-api-preview

Azure Resource RateCard API (Preview)

  • Use the Azure Resource RateCard API to get the list of available Azure resources and estimated pricing information for each. The API includes: Azure Role-based Access Control - Configure your access policies on the Azure portal or through Azure PowerShell cmdlets to specify which users or applications can get access to the RateCard data. Callers must use standard Azure Active Directory tokens for authentication. Add the caller to either the Reader, Owner, or Contributor role to get access to the usage data for a particular Azure subscription.
  • Support for Pay-as-you-go, MSDN, Monetary commitment, and Monetary credit offers (EA and CSP not supported) - This API provides Azure offer-level rate information. The caller of this API must pass in the offer information to get resource details and rates. We're currently unable to provide EA rates because EA offers have customized rates per enrollment.

Thanks to everyone who tried to help.

HerbM
  • 521
  • 6
  • 14