Share via

How can I get metrics like CPU Percentage of my Virtual Machine using Azure REST API?

김중원 0 Reputation points
2024-11-08T01:42:32.71+00:00

Hello!

In the backend I am currently developing, I need to use Azure's REST API to retrieve performance metrics (such as CPU usage) for an Azure Virtual Machine I am using.

However, I am encountering a permissions issue related to the token, so I am posting this question.

Here are the steps I have taken:

  1. Called the https://login.microsoftonline.com/${tenantID}/oauth2/token API to obtain an Access Token (set the resource sent to this API as "management.azure.com").
  2. Set the Access Token obtained in step 1 in the header as Authorization: Bearer ${Access Token}.
  3. Called the following API: https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines/${vmname}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU&timespan=2018-06-05T03:00:00Z/2018-06-07T03:00:00Z

I proceeded in the above order, but I keep getting an error related to the token's permissions:

The client '7******c5-****-48**-b**1-***e5e***9cc' with object id '7******c5-****-48**-b**1-***e5e***9cc' does not have authorization to perform action 'microsoft.insights/metrics/read' over scope '/subscriptions/3a1425d3-******-****-ebf0*******/resourceGroups/TestResource/providers/Microsoft.Compute/virtualMachines/test-virtual-machine/providers/microsoft.insights' or the scope is invalid. If access was recently granted, please refresh your credentials

To resolve this error, I tried assigning roles, but the same issue persists.

I tried to add a role one by one by reading other questions and posts to resolve this, but the same error still returns.

User's image

Could you let me know what I should try more to resolve it? Thank you for reading my question!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,318 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,992 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA 90,226 Reputation points
    2024-11-08T03:11:50.9666667+00:00

    @김중원 - Thanks for the question and using MS Q&A platform.

    The error you're facing is due to missing permissions for reading metrics from Azure Monitor (via microsoft.insights/metrics/read). To retrieve metrics like CPU usage from a Virtual Machine, you need to ensure that the appropriate Azure Monitor permissions are granted to the service principal or user trying to access these metrics.

    Follow the below steps to resolve the issue.

    Step1: Ensure 'Monitoring Contributor' Role rather than 'Monitoring Reader':

    From the image, it looks like you have several roles assigned. The Monitoring Contributor role should have permissions to read monitoring data. However, make sure this role is assigned at the correct scope (either directly on the VM or at the resource group or subscription level).

    Note: You may want to try assigning the Monitoring Contributor role, which has broader permissions, including updating monitoring settings. This role might give you the additional permissions needed in case of any discrepancies in the Monitoring Reader permissions.

    User's image

    Azure role-based access control (Azure RBAC) provides built-in roles for monitoring that you can assign to users, groups, service principals, and managed identities. The most common roles are Monitoring Reader and Monitoring Contributor for read and write permissions, respectively.

    For more detailed information on the monitoring roles, see RBAC Monitoring Roles.

    Step2: Confirm Role Propagation:

    Sometimes, role assignments may take a few minutes to propagate. After assigning the role, wait a few minutes, and then refresh your token.

    Note: Make sure to wait up to 10 minutes for changes to take effect after assigning or removing roles. 

    Step3: Validate the Scope in Your API Call: Double-check that the scope in your API call matches the scope where the role was assigned. The scope in the error message seems to reference the path for the Virtual Machine and the Azure Monitor provider (microsoft.insights), which should match the API's path.

    Step4:Use the Correct API Version: Make sure the api-version in your request is compatible with your setup. For some metric APIs, you might need a more recent version than 2018-01-01.

    GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmname}/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=Percentage%20CPU&timespan=2018-06-05T03:00:00Z/2018-06-07T03:00:00Z

    Step5:Re-Obtain the Access Token: If you recently assigned the role, try re-fetching the access token after ensuring the permissions are correctly in place.

    For more details, refer to Roles, permissions, and security in Azure Monitor and Azure built-in roles for Monitor.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.