创建 azure 容器服务集群失败,错误是 azure graph 权限不足
Create azure container service cluster fails with error insufficient privileges for azure graph
使用 Azure CLI 2.0.20 版后,我突然无法再创建 ACS 集群了。
已创建资源组 testrg:
az group create -l westus -n testrg
az aks 和 acs 都失败了。使用的命令:
az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys
两者均因错误而失败:
Insufficient privileges to complete the operation.
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
cmd_result = APPLICATION.execute(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
result = expanded_arg.func(params)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
return self.handler(*args, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 630, in _execute_command
raise client_exception
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
reraise(*sys.exc_info())
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
raise value
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
result = op(client, **kwargs) if client else op(**kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 516, in acs_create
dns_name_prefix, location, name)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1372, in _ensure_service_principal
service_principal = _build_service_principal(client, name, url, client_secret)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 319, in _build_service_principal
result = create_application(client.applications, name, url, [url], password=client_secret)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 970, in create_application return client.create(app_create_param)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\graphrbac\operations\applications_operations.py", line 87, in create
raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Insufficient privileges to complete the operation.
我可以使用 CLI 创建其他资源,例如带有以下命令的 Web 应用程序:
az appservice plan create -g testrg-n B1Plan --is-linux
az webapp create --resource-group testrg --name testwebapp -p B1Plan -r "node|8.1"
正如 Weinong Wang 指出的那样,我必须提供现有服务主体的 AppId 及其客户端机密,因为我没有为集群创建新服务主体的权限。
创建新集群并配置 kubectl 连接到它的命令是:
az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys --service-principal "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --client-secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
az acs kubernetes get-credentials --resource-group=testrg --name=test-nix-stg
使用 Azure CLI 2.0.20 版后,我突然无法再创建 ACS 集群了。
已创建资源组 testrg:
az group create -l westus -n testrg
az aks 和 acs 都失败了。使用的命令:
az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys
两者均因错误而失败:
Insufficient privileges to complete the operation.
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main
cmd_result = APPLICATION.execute(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 212, in execute
result = expanded_arg.func(params)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 377, in __call__
return self.handler(*args, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 630, in _execute_command
raise client_exception
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 620, in _execute_command
reraise(*sys.exc_info())
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
raise value
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands\__init__.py", line 602, in _execute_command
result = op(client, **kwargs) if client else op(**kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 516, in acs_create
dns_name_prefix, location, name)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 1372, in _ensure_service_principal
service_principal = _build_service_principal(client, name, url, client_secret)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 319, in _build_service_principal
result = create_application(client.applications, name, url, [url], password=client_secret)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\acs\custom.py", line 970, in create_application return client.create(app_create_param)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\graphrbac\operations\applications_operations.py", line 87, in create
raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Insufficient privileges to complete the operation.
我可以使用 CLI 创建其他资源,例如带有以下命令的 Web 应用程序:
az appservice plan create -g testrg-n B1Plan --is-linux
az webapp create --resource-group testrg --name testwebapp -p B1Plan -r "node|8.1"
正如 Weinong Wang 指出的那样,我必须提供现有服务主体的 AppId 及其客户端机密,因为我没有为集群创建新服务主体的权限。
创建新集群并配置 kubectl 连接到它的命令是:
az aks create -n test-k8s-stg -g testrg
az acs create --orchestrator-type=kubernetes --resource-group testrg --name=test-nix-stg --admin-username test-admin --admin-password TestPassword --generate-ssh-keys --service-principal "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --client-secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
az acs kubernetes get-credentials --resource-group=testrg --name=test-nix-stg