Azure Devops 服务连接在远程网络上的 vnet 对等互连上失败,权限问题?
Azure Devops Service Connection failing on vnet peering on remote network, permissions issue?
运行 通过创建 vnet 对等互连的 Azure Devops 发布管道推出部署失败时出现错误。
我能够使用 New-AzResourceGroupDeployment 将部署作为我自己的帐户(具有跨两个订阅的权限)成功推出,并且部署没有任何问题。
我猜这是因为帐户在远程 vnet 中没有权限,因为它只与第一个订阅相关联。有人有解决这个问题的想法吗?
这是我从失败的部署中得到的编辑错误:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details.
Please see https://aka.ms/DeployOperations for usage details.",
"details":[{"code":"Forbidden","message":"{\r\n \"error\": {\r\n \"code\": \"LinkedAuthorizationFailed\",\r\n \"message\": \"The client 'myClientID' with object id 'myObjectID' has permission to perform action 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write' on scope '/subscriptions/mySubid/resourcegroups/mylocalResourceGroup/providers/Microsoft.Network/virtualNetworks/mylocalResourceGroup-vnet/virtualNetworkPeerings/mylocalResourceGroup-vnetTouks-myRemoteResourceGroup-vnet';
however, it does not have permission to perform action 'peer/action' on the linked scope(s) '/subscriptions/myRemoteSubId/resourceGroups/myremoteResourceGroup/providers/Microsoft.Network/virtualNetworks/myremoteResourceGroup-vnet' or the linked scope(s) are invalid.\"\r\n }\r\n}"}]}
不太确定如何在远程网络上授予本地用户组权限中的服务连接?
获得此 link 权限,但不确定如何将它们(网络贡献者)添加到服务连接
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#permissions
你可以grant user access to Azure resources using RBAC. Access control (IAM) is the blade that you use to assign roles to grant access to Azure resources. If you're using an account that has permissions to both subscriptions, you can use the same account for all steps in VNet to VNet peering refer to these steps https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
在门户网站上:
使用 Powershell:
# Assign UserB permissions to myVnetA.
New-AzRoleAssignment `
-SignInName UserB@azure.com `
-RoleDefinitionName "Network Contributor" `
-Scope /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA
此外,要将用户帐户添加到不同 Azure AD 租户中的不同订阅,您需要先在该租户中 add the user as guest users。然后你可以授予用户权限。
运行 通过创建 vnet 对等互连的 Azure Devops 发布管道推出部署失败时出现错误。
我能够使用 New-AzResourceGroupDeployment 将部署作为我自己的帐户(具有跨两个订阅的权限)成功推出,并且部署没有任何问题。
我猜这是因为帐户在远程 vnet 中没有权限,因为它只与第一个订阅相关联。有人有解决这个问题的想法吗?
这是我从失败的部署中得到的编辑错误:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details.
Please see https://aka.ms/DeployOperations for usage details.",
"details":[{"code":"Forbidden","message":"{\r\n \"error\": {\r\n \"code\": \"LinkedAuthorizationFailed\",\r\n \"message\": \"The client 'myClientID' with object id 'myObjectID' has permission to perform action 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write' on scope '/subscriptions/mySubid/resourcegroups/mylocalResourceGroup/providers/Microsoft.Network/virtualNetworks/mylocalResourceGroup-vnet/virtualNetworkPeerings/mylocalResourceGroup-vnetTouks-myRemoteResourceGroup-vnet';
however, it does not have permission to perform action 'peer/action' on the linked scope(s) '/subscriptions/myRemoteSubId/resourceGroups/myremoteResourceGroup/providers/Microsoft.Network/virtualNetworks/myremoteResourceGroup-vnet' or the linked scope(s) are invalid.\"\r\n }\r\n}"}]}
不太确定如何在远程网络上授予本地用户组权限中的服务连接?
获得此 link 权限,但不确定如何将它们(网络贡献者)添加到服务连接 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#permissions
你可以grant user access to Azure resources using RBAC. Access control (IAM) is the blade that you use to assign roles to grant access to Azure resources. If you're using an account that has permissions to both subscriptions, you can use the same account for all steps in VNet to VNet peering refer to these steps https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions#portal
在门户网站上:
使用 Powershell:
# Assign UserB permissions to myVnetA.
New-AzRoleAssignment `
-SignInName UserB@azure.com `
-RoleDefinitionName "Network Contributor" `
-Scope /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA
此外,要将用户帐户添加到不同 Azure AD 租户中的不同订阅,您需要先在该租户中 add the user as guest users。然后你可以授予用户权限。