Service tags REST API needs subscription level rights?

Goal

I want to use the service tags REST API endpoint to get all the AzureCloud datacenter public IP addresses.

Problem

I can get a response body of about 46k lines, but the AzureCloud tag is nowhere in there.

Steps

Firstly, I created an account using the AZ CLI tool with az ad sp create-for-rbac -n "MyApp".

With a tenant ID, app ID/client ID, password/client secret, subscription ID. I can use https://login.microsoftonline.com/{{ tenant_id }}/oauth2/token to get a bearer token.

Using the bearer token, I can query the service tags using https://management.azure.com/subscriptions/{{ subscription_id }}/providers/Microsoft.Network/locations/eastus/serviceTags?api-version=2020-05-01.

What I've done

I came across a GitHub issue that is somewhat related to my problem stating that by design, we cannot get all the datacenter public IPs if the user does not have subscription level rights.

I tried the following commands to try to give subscription scope rights to my app, but to no avail:

  • az ad sp create-for-rbac -n "MyApp2" --role reader --scopes "/subscriptions/{{ subscription_id }}" to create a new account while specifying reader role and scope of the subscription.

  • az role assignment create --assignee "{{ app_id }}" --role "Reader" --scope "/subscriptions/{{ subscription_id }}" to create a new role and specify scope.

  • az role assignment create --assignee "{{ app_id }}" --role "Owner" --subscription "{{ subscription_id }}" to create a new role and specify subscription.

My app still has the scope set to "This resource".

I suspect there is something I am misunderstanding about Azure, given I am completely new to Azure (just created a free trial account yesterday).

All help will be appreciated, thank you!

submitted by /u/Inevitable-Stress
[link] [comments]

Read more here: https://www.reddit.com/r/AZURE/comments/jwkbck/service_tags_rest_api_needs_subscription_level/

Content Attribution

This content was originally published by /u/Inevitable-Stress at Microsoft Azure, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: