search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.35k stars 1.99k forks source link

Getting ManagementException: Status code 403, "{"error":{"code":"AccessDenied","message":"Please provide below info when asking for support.. #29924

Closed yashaswi90 closed 2 years ago

yashaswi90 commented 2 years ago

I am trying to access the Azure Resource Graph Manager API using the Java SDK so for one environment it is working fine but for the other environment I am getting below error:- com.azure.core.management.exception.ManagementException: Status code 403, "{"error":{"code":"AccessDenied","message":"Please provide below info when asking for support: timestamp = 2022-07-12T12:30:52.0887451Z, correlationId = a3b312c7-9555-43cd-bbbd-fc93a5a55e79.","details":[{"code":"AccessDenied","message":"Access is denied to the requested resource. The user might not have enough permission."}]}}": Please provide below info when asking for support: timestamp = 2022-07-12T12:30:52.0887451Z, correlationId = a3b312c7-9555-43cd-bbbd-fc93a5a55e79.

And I am able to execute the same thing through console and able to get the data but when i m trying to access it through code then it is working for one environment only and for rest of them giving exception. Please find below code snippet:-

          AzureProfile profile = new AzureProfile(AzureEnvironment.AZURE);
                  TokenCredential credential1 = new DefaultAzureCredentialBuilder()
                          .authorityHost(profile.getEnvironment().getActiveDirectoryEndpoint())
                          .build();
                  ResourceGraphManager manager = ResourceGraphManager
                          .authenticate(credential1, profile);
                  QueryRequest queryRequest = new QueryRequest()
                          .withSubscriptions(Collections.singletonList(subscriptionId))
                          .withQuery("Resources | where type has \"microsoft.compute/disks\"| extend diskState = tostring(properties.diskState)| where managedBy == \"\" or diskState == 'Unattached'| extend Details = pack_all()| project id, resourceGroup, diskState, sku.name, properties.diskSizeGB, location, tags, subscriptionId, Details");
          // table format
                  queryRequest.withOptions(new QueryRequestOptions().withResultFormat(ResultFormat.TABLE));
                  QueryResponse response = manager.resourceProviders().resources(queryRequest);

          // object array format
                  queryRequest.withOptions(new QueryRequestOptions().withResultFormat(ResultFormat.OBJECT_ARRAY));
                  response = manager.resourceProviders().resources(queryRequest);
joshfree commented 2 years ago

Hi @yashaswi90 thank you for reaching out to us via this GitHub issue. Customers with an Azure support plan can open an Azure support ticket. We recommend this option if your problem requires immediate attention [https://github.com/Azure/azure-sdk-for-java/edit/main/SUPPORT.md].

Otherwise someone from the Resource Graph SDK team will follow up with you shortly. /cc @weidongxu-microsoft

weidongxu-microsoft commented 2 years ago

@yashaswi90

Would you elaborate more about "environment"? Is it different tenentId, different subscriptionId, different Azure cloud?

yashaswi90 commented 2 years ago

@yashaswi90

Would you elaborate more about "environment"? Is it different tenentId, different subscriptionId, different Azure cloud?

@weidongxu-microsoft different subscription id.

weidongxu-microsoft commented 2 years ago

@yashaswi90

If you use service principal, make sure it has proper RBAC permission on the subscription.

I assume you need a Reader on the subscription. (we usually test with Owner and this issue was not reproduced).

I can see the same error if the service principal does not have permission on that subscription.

yashaswi90 commented 2 years ago

@yashaswi90

If you use service principal, make sure it has proper RBAC permission on the subscription.

I assume you need a Reader on the subscription. (we usually test with Owner and this issue was not reproduced).

I can see the same error if the service principal does not have permission on that subscription. @weidongxu-microsoft I already have reader access, and I am able to get the data from Azure console but when i m trying through Java SDK then for this subscription it is giving Access denied.

Do we need to provide any more details if we are using below code AzureProfile profile = new AzureProfile(AzureEnvironment.AZURE); TokenCredential credential1 = new DefaultAzureCredentialBuilder() .authorityHost(profile.getEnvironment().getActiveDirectoryEndpoint()) .build();

yashaswi90 commented 2 years ago

Thankyou for your support so we need to add the service principal.