azure - 尝试为 Azure 使用 Ansible 动态清单插件时出错

问题描述

我正在尝试使用 Ansible 的 azure_rm 插件为 Azure 中的 VM 生成动态清单，但是当我尝试运行 sanity-check 命令时出现“批处理请求”错误 403：

$ ansible all -m ping 
[WARNING]:  * Failed to parse /project/ansible/inventory.azure_rm.yml with
ansible_collections.azure.azcollection.plugins.inventory.azure_rm plugin: a batched request failed with status code 403, url
/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Compute/virtualMachines
...

以下是我的 macOS 设置的详细信息：

$ ansible --version
ansible 2.10.3
  config file = /project/ansible/ansible.cfg
  configured module search path = ['/Users/me/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.10.3_1/libexec/lib/python3.9/site-packages/ansible
  executable location = /usr/local/Cellar/ansible/2.10.3_1/libexec/bin/ansible
  python version = 3.9.0 (default, Dec  6 2020, 18:02:34) [Clang 12.0.0 (clang-1200.0.32.27)]

这是 inventory.azure_rm.yml 文件：

plugin: azure_rm
include_vm_resource_groups:
- <redacted>
auth_source: auto

keyed_groups:
- prefix: tag
  key: tags

而且我还将它添加到本地 ansible.cfg 文件中：

inventory      = ./inventory.azure_rm.yml

我还将 Azure 身份验证的详细信息定义为环境变量：

$ env | grep AZURE
AZURE_TENANT=<redacted>
AZURE_CLIENT_ID=<redacted>
AZURE_USE_PRIVATE_IP=yes
AZURE_SECRET=<redacted>
AZURE_SUBSCRIPTION_ID=<redacted>

这些是我与 Terraform 一起用来创建我现在尝试动态清点的 VM 的相同“凭据”，所以它们应该是好的。因此，对于 403 错误背后的原因有点茫然。

然后我在命令中添加了一个 -vvvv 选项并获得了一些额外的信息：

$ ansible all -m ping -vvvv
ansible 2.10.3
  config file = /Users/me/project/ansible/ansible.cfg
  configured module search path = ['/Users/me/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.10.3_1/libexec/lib/python3.9/site-packages/ansible
  executable location = /usr/local/Cellar/ansible/2.10.3_1/libexec/bin/ansible
  python version = 3.9.0 (default, Dec  6 2020, 18:02:34) [Clang 12.0.0 (clang-1200.0.32.27)]
Using /Users/me/project/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /Users/me/project/ansible/inventory.azure_rm.yml as it did not pass its verify_file() method
script declined parsing /Users/me/project/ansible/inventory.azure_rm.yml as it did not pass its verify_file() method
redirecting (type: inventory) ansible.builtin.azure_rm to azure.azcollection.azure_rm
Loading collection azure.azcollection from /Users/me/.ansible/collections/ansible_collections/azure/azcollection
toml declined parsing /Users/me/project/ansible/inventory.azure_rm.yml as it did not pass its verify_file() method
[WARNING]:  * Failed to parse /Users/me/project/ansible/inventory.azure_rm.yml with
ansible_collections.azure.azcollection.plugins.inventory.azure_rm  plugin: a batched request failed with status code 403, url
/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Compute/virtualMachines
  File "/usr/local/Cellar/ansible/2.10.3_1/libexec/lib/python3.9/site-packages/ansible/inventory/manager.py", line 289, in parse_source
    plugin.parse(self._inventory, self._loader, source, cache=cache)
  File "/usr/local/Cellar/ansible/2.10.3_1/libexec/lib/python3.9/site-packages/ansible/plugins/inventory/auto.py", line 59, in parse
    plugin.parse(inventory, loader, path, cache=cache)
  File "/Users/me/.ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py", line 206, in parse
    self._get_hosts()
  File "/Users/me/.ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py", line 263, in _get_hosts
    self._process_queue_batch()
  File "/Users/me/.ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py", line 405, in _process_queue_batch
    raise AnsibleError("a batched request failed with status code {0}, url {1}".format(status_code, result.url))

有没有人遇到过这个并想出一个解决办法？我假设我正在使用的服务主体缺少某些角色或权限，但我不知道它是什么给定的相同 SP 用于首先配置 VM。

标签： azureansible