Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workflow Response status code does not indicate success: 401 (Unauthorized). #71

Closed
ilyhel opened this issue Sep 1, 2023 · 7 comments
Closed

workflow Response status code does not indicate success: 401 (Unauthorized). #71

ilyhel opened this issue Sep 1, 2023 · 7 comments

Comments

@ilyhel
Copy link

ilyhel commented Sep 1, 2023

Hi Folks, I try to create action workflow but I have this issue :

Version: 0.32.0.0 Using token credential: ChainedTokenCredential to fetch a token. Fetching subscription details... Token retrieved and expires at: 09/01/2023 17:12:06 +00:00 Retrieving data from /subscriptions//?api-version=2019-11-01 using the following payload: �[38;5;8mnull�[0m Response status code is OK and got payload size of 397 Retrieved subscription details: �[38;5;8m�[0m �[38;5;12m"id"�[0m�[38;5;11m:�[0m �[38;5;9m"/subscriptions/"�[0m�[38;5;8m,�[0m �[38;5;12m"authorizationSource"�[0m�[38;5;11m:�[0m �[38;5;9m"Bypassed"�[0m�[38;5;8m,�[0m �[38;5;12m"managedByTenants"�[0m�[38;5;11m:�[0m �[38;5;8m[�[0m �[38;5;8m],�[0m �[38;5;12m"subscriptionId"�[0m�[38;5;11m:�[0m �[38;5;9m""�[0m�[38;5;8m,�[0m �[38;5;12m"tenantId"�[0m�[38;5;11m:�[0m �[38;5;9m""�[0m�[38;5;8m,�[0m �[38;5;12m"displayName"�[0m�[38;5;11m:�[0m �[38;5;9m"Azure subscription 1"�[0m�[38;5;8m,�[0m �[38;5;12m"state"�[0m�[38;5;11m:�[0m �[38;5;9m"Enabled"�[0m�[38;5;8m,�[0m �[38;5;12m"subscriptionPolicies"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"locationPlacementId"�[0m�[38;5;11m:�[0m �[38;5;9m"Public_2014-09-01"�[0m�[38;5;8m,�[0m �[38;5;12m"quotaId"�[0m�[38;5;11m:�[0m �[38;5;9m"FreeTrial_2014-09-01"�[0m�[38;5;8m,�[0m �[38;5;12m"spendingLimit"�[0m�[38;5;11m:�[0m �[38;5;9m"On"�[0m �[38;5;8m�[0m �[38;5;8m�[0m Retrieving data from /subscriptions//providers/Microsoft.CostMana gement/query?api-version=2021-10-01&$top=5000 using the following payload: �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"ActualCost"�[0m�[38;5;8m,�[0m �[38;5;12m"timeframe"�[0m�[38;5;11m:�[0m �[38;5;9m"BillingMonthToDate"�[0m�[38;5;8m,�[0m �[38;5;12m"timePeriod"�[0m�[38;5;11m:�[0m �[38;5;8mnull,�[0m �[38;5;12m"dataSet"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"granularity"�[0m�[38;5;11m:�[0m �[38;5;9m"Daily"�[0m�[38;5;8m,�[0m �[38;5;12m"aggregation"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"totalCost"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"Cost"�[0m�[38;5;8m,�[0m �[38;5;12m"function"�[0m�[38;5;11m:�[0m �[38;5;9m"Sum"�[0m �[38;5;8m,�[0m �[38;5;12m"totalCostUSD"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"CostUSD"�[0m�[38;5;8m,�[0m �[38;5;12m"function"�[0m�[38;5;11m:�[0m �[38;5;9m"Sum"�[0m �[38;5;8m�[0m �[38;5;8m***,�[0m �[38;5;12m"filter"�[0m�[38;5;11m:�[0m �[38;5;8mnull,�[0m �[38;5;12m"sorting"�[0m�[38;5;11m:�[0m �[38;5;8m[�[0m �[38;5;8m�[0m �[38;5;12m"direction"�[0m�[38;5;11m:�[0m �[38;5;9m"Ascending"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"UsageDate"�[0m �[38;5;8m�[0m �[38;5;8m]�[0m �[38;5;8m�[0m �[38;5;8m�[0m Fetching cost data... Response status code is Unauthorized and got payload size of 156 Response content: "error":"code":"RBACAccessDenied","message":"The client does not have authorization to perform action. Request ID: 69fea753-8348-423d-90f1-85085ebec592"*** �[38;5;9mError:�[0m Response status code does not indicate success: 401 (Unauthorized).

I use az ad sp create-for-rbac --name "FinOpsCli" --role "Cost Management Reader" --scopes /subscriptions/Sub-ID1/resourceGroups/FinOpsRG --sdk-auth to assign role to sp and get AZURE_CREDENTIALS.

Best regards,
@welcome
Copy link

welcome bot commented Sep 1, 2023

Thanks for opening your first issue! Reports like these help improve the project!

@mivano
Copy link
Owner

mivano commented Sep 1, 2023

It tries to fetch the data for the whole of the subscriptions, not on the resourcegroup level. That can be the reason you get the 401, as the scope is subscription.

@ilyhel
Copy link
Author

ilyhel commented Sep 1, 2023

ty! I will try to specify a resource group name

@ilyhel
Copy link
Author

ilyhel commented Sep 1, 2023

@mivano I try with this command azure-cost costByResource -o markdown -s ${{ github.event.inputs.azure-sub-id }} --query "ByResourceGroup["FinOpsRG"].[ResourceGroup, Cost]" --debug >> $GITHUB_STEP_SUMMARY but I still get the same error Version: 0.32.0.0 Using token credential: ChainedTokenCredential to fetch a token. Fetching cost data for resources... Token retrieved and expires at: 09/01/2023 23:28:50 +00:00 Retrieving data from /subscriptions//providers/Microsoft.CostMana gement/query?api-version=2021-10-01&$top=5000 using the following payload: �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"ActualCost"�[0m�[38;5;8m,�[0m �[38;5;12m"timeframe"�[0m�[38;5;11m:�[0m �[38;5;9m"BillingMonthToDate"�[0m�[38;5;8m,�[0m �[38;5;12m"timePeriod"�[0m�[38;5;11m:�[0m �[38;5;8mnull,�[0m �[38;5;12m"dataSet"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"granularity"�[0m�[38;5;11m:�[0m �[38;5;9m"None"�[0m�[38;5;8m,�[0m �[38;5;12m"aggregation"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"totalCost"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"Cost"�[0m�[38;5;8m,�[0m �[38;5;12m"function"�[0m�[38;5;11m:�[0m �[38;5;9m"Sum"�[0m �[38;5;8m,�[0m �[38;5;12m"totalCostUSD"�[0m�[38;5;11m:�[0m �[38;5;8m�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"CostUSD"�[0m�[38;5;8m,�[0m �[38;5;12m"function"�[0m�[38;5;11m:�[0m �[38;5;9m"Sum"�[0m �[38;5;8m�[0m �[38;5;8m***,�[0m �[38;5;12m"include"�[0m�[38;5;11m:�[0m �[38;5;8m[�[0m �[38;5;9m"Tags"�[0m �[38;5;8m],�[0m �[38;5;12m"filter"�[0m�[38;5;11m:�[0m �[38;5;8mnull,�[0m �[38;5;12m"grouping"�[0m�[38;5;11m:�[0m �[38;5;8m[�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"ResourceId"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"ResourceType"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"ResourceLocation"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"ChargeType"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"ResourceGroupName"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"PublisherType"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"MeterCategory"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"MeterSubcategory"�[0m �[38;5;8m,�[0m �[38;5;8m�[0m �[38;5;12m"type"�[0m�[38;5;11m:�[0m �[38;5;9m"Dimension"�[0m�[38;5;8m,�[0m �[38;5;12m"name"�[0m�[38;5;11m:�[0m �[38;5;9m"Meter"�[0m �[38;5;8m�[0m �[38;5;8m]�[0m �[38;5;8m�[0m �[38;5;8m�[0m Response status code is Unauthorized and got payload size of 156 Response content: "error":"code":"RBACAccessDenied","message":"The client does not have authorization to perform action. Request ID: b72f026f-f1c1-4831-b133-7950fcfefb8a"*** �[38;5;9mError:�[0m Response status code does not indicate success: 401 (Unauthorized).

how do you register the sp to get AZURE_CREDENTIALS? I found this ref https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals

@mivano
Copy link
Owner

mivano commented Sep 2, 2023

Your registration is correct, but you scope it to a resource group: az ad sp create-for-rbac --name "FinOpsCli" --role "Cost Management Reader" --scopes /subscriptions/Sub-ID1/resourceGroups/FinOpsRG --sdk-auth so remove the /resourceGroups/FinOpsRG from it.

And what you are doing is not wrong, but the tool does a call to the api with a scope on the subscription, not on a resource group level (yes, you can query or filter on resource groups, but it will still do the call on the subscription level). I could use a different scope, but for simplicity, it currently operates on subscriptions.

To get the authentication, the tool looks at the default credentials provided, so it will first query the AZ login call. So you can try to log in using the az login call. See the docs.

@ilyhel
Copy link
Author

ilyhel commented Sep 3, 2023

Thank you so much @mivano it work fine now 😊 I remove the scope as you mentioned, still to play with the query parameters, I will try to add more examples to the Query section 😉.
cheers!

@mivano
Copy link
Owner

mivano commented Sep 3, 2023

Good to hear that it works for you. If you have more examples, then please do a PR with them.

@mivano mivano closed this as completed Sep 3, 2023
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mivano @ilyhel