Does the Azure Reserved VM Instances (reservationOrders) work at all?

0
votes

I have a working app using the Azure REST API, and would like to extend it to gather information on Azure RI's (Reserved Instances). Regardless of whether I use the "Try It" link on the doc page (https://docs.microsoft.com/en-us/rest/api/reserved-vm-instances/reservationorder/list), or via API call from my app, I get the same error. The user in question is the global admin for the account.

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '[email protected]' with object id 'e127xxxx-f0b7-4b52-802f-yyyyb171zzzz' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/read' over scope '/providers/Microsoft.Capacity'."
  }
}

Ideas? If this is an RBAC issue, it seems kind of pointless to provide a "Try It" link with no information about pre-reqs for getting this to work.

Thanks.

2
azure

2 Answers

0
votes

Well, global admin role only works for Azure AD, you need owner\contributor role to perform that call (you specifically need Microsoft.Capacity/reservationOrders/read permission).

You can also create a custom role to apply least privilege principle

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

0
votes

By default, the person that bought the reservation and the account administrator have the Owner role on the reservation. So person who bought reservation or administrator need to give you or your app access to reservations. You can do it Azure Portal. Go to reservations then chose reservation, go to reservation order and delegate access. You can chose any type of role which you want (reader for example). After that your user/app has access to all reservations under that reservation order. Unfortunately you need to perform that operation for all reservation orders.