1

In our organization, we have a common Azure subscription with a separate resource group for each solution. I have Owner rights for my solution's resource group, but when we create Databricks workspaces, a separate managed resource group databricks-rg-*** is created which I don't have access to. To be able to manage our Azure costs, I need to have access to the Cost analysis section of this managed resource group. What role do I need in this resource group to be able to see the costs?

Magnus Johannesson
  • 432
  • 7
  • 20

1 Answers1

2

To be able to manage our Azure costs, I need to have access to the Cost analysis section of this managed resource group. What role do I need in this resource group to be able to see the costs?

To see the cost, the Reader role is enough. If you want to do other operations except reading, you need the role e.g. Contributor, Owner.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • It seems it is not possible to add role assignments to a databricks-rg-xxx resource group: "Failed to add Role assignment Failed to add xxx as Reader for databricks-rg-xxx : The client 'xxx' with object id 'xxx' has permission to perform action 'Microsoft.Authorization/roleAssignments/write' on scope 'xxx'; however, the access is denied because of the deny assignment with name 'System deny assignment created by Azure Databricks..." Do I need to have the Reader role on the Azure subscription level to be able to see the costs for this resource group? – Magnus Johannesson Sep 02 '20 at 06:26
  • @MagnusJohannesson Yes, looks you need to add the `Reader` role on the subscription level, I can also reproduce your issue, there is a deny assignment in this group -> `Access control (IAM)` -> `Deny assignments` which created by your workspace, it is read-only. – Joy Wang Sep 02 '20 at 06:34
  • @JoyWang-MSFT Don't you think it is unreasonable to suggest "Reader" on an entire subscription? Many companies have subscriptions that are shared by dozens of solutions. Even recommending "Billing Reader" on the subscription seems like a stretch. This issue needs a better solution. – David Beavon Nov 19 '21 at 22:51