Skip to content

More than Reader Access is requirerd #1612

@lanicolas

Description

@lanicolas

🐛 Problem

This doc https://github.com/microsoft/finops-toolkit/blob/dev/docs-mslearn/toolkit/workbooks/finops-workbooks-overview.md mentions that reader access is enough to deploy the workbooks and you will be able to import it and just not save it; this would be true if we have the JSON file and import it via Azure Monitor Workbooks directly, however since what we provide is the ARM template, more permissions are required or you get this message

You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.

👣 Repro steps

  1. Have only reader access on the environment
  2. Try to deploy the ARM template as stated here https://learn.microsoft.com/en-us/cloud-computing/finops/toolkit/workbooks/finops-workbooks-overview#deploy-the-workbooks
  3. You will get the message with either of the workbooks if only reader access is assigned.

🤔 Expected

There are a few options:

  • Provide the detailed roles required to deploy it
  • Add the workbook to the gallery so it can be imported but not saved
  • Share the workbooks' JSON so it is not part of an ARM template and can be imported and not saved bypassing the validation role required

ℹ️ Additional context

This affects the VBD description of WACOA as we only request reader access and the workbook is part of the workflow

Activity

added theissue type on May 21, 2025
added this to the 2025-05 - May milestone on May 21, 2025
flanakin

flanakin commented on May 21, 2025

@flanakin
Collaborator

@arthurclares Can you look into this one? Readers can't deploy the template, but they would be able to upload the JSON. We may need to add instructions for downloading the ZIP and grabbing the JSON. Thoughts?

self-assigned this
on May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Type

Projects

No projects

Relationships

None yet

    Development

    Participants

    @flanakin@lanicolas@KevDLR

    Issue actions

      More than Reader Access is requirerd · Issue #1612 · microsoft/finops-toolkit