时间戳

首页 > 解决方案 > 使用在新租户中创建的 Azure 服务主体时的访问问题

azure-active-directory - 使用在新租户中创建的 Azure 服务主体时的访问问题

问题描述

我有以下情况。

  1. 拥有我工作场所的帐户和 Visual Studio Professional 订阅。
  2. 我无法在我的组织租户中创建服务主体。这是被禁止的,我不会被授予这样做的特权。
  3. 我自己创建了一个新租户,说“myowntenant”。创建了一个新应用程序,因此,我得到了一个名为“example-app”的服务主体
  4. 然后,我转到 Visual Studio 订阅并授予服务主体(示例应用程序)贡献者对订阅的访问权限。

当我尝试使用“example-app”的 VS 订阅 ID、我自己的租户 ID、客户端 ID 和机密来使用我的 terraform 环境时,我收到未经授权的错误,说明访问令牌来自错误的颁发者。

看起来我对 Azure 订阅、租户和服务主体的理解不正确。有人可以告诉我为什么即使服务主体在订阅中具有贡献者访问权限,这也不起作用?

地形代码:

## <https://www.terraform.io/docs/providers/azurerm/index.html>
provider "azurerm" {
  version = "=2.5.0"
  features {}
}

## <https://www.terraform.io/docs/providers/azurerm/r/resource_group.html>
resource "azurerm_resource_group" "rg" {
  name     = "TerraformTesting"
  location = "eastus"
}

## <https://www.terraform.io/docs/providers/azurerm/r/availability_set.html>
resource "azurerm_availability_set" "DemoAset" {
  name                = "example-aset"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

## <https://www.terraform.io/docs/providers/azurerm/r/virtual_network.html>
resource "azurerm_virtual_network" "vnet" {
  name                = "vNet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

## <https://www.terraform.io/docs/providers/azurerm/r/subnet.html> 
resource "azurerm_subnet" "subnet" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefix       = "10.0.2.0/24"
}

## <https://www.terraform.io/docs/providers/azurerm/r/network_interface.html>
resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.subnet.id
    private_ip_address_allocation = "Dynamic"
  }
}

## <https://www.terraform.io/docs/providers/azurerm/r/windows_virtual_machine.html>
resource "azurerm_windows_virtual_machine" "example" {
  name                = "example-machine"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  admin_password      = "P@$$w0rd1234!"
  availability_set_id = azurerm_availability_set.DemoAset.id
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }
}

标签: azure-active-directoryterraform-provider-azureazure-service-principal

解决方案

结合您的另一篇文章,无法实现第4步,因此您收到此错误。

一个租户可以有多个订阅,但一个订阅只能绑定到一个租户。

您错误地认为您已成功授予名为“example-app”的服务主体(来自另一个租户)对订阅的贡献者访问权限,因为此订阅中有同名的服务主体。

所以你的设计无法实现。

推荐阅读