AZURE Terraform 服务主体身份验证错误

Question

我正在尝试使用服务原则和使用 terraform 脚本的客户端密钥对 azure 进行身份验证。

这是我的 main.tf 文件

# Configure the Azure provider
provider "azuread" {
  version = "~>0.8"
}

provider "azurerm" {
  subscription_id = "mysubscription_id"
  client_id       = "myclient_id"
  client_secret   = "myclient_secret"
  tenant_id       = "mytenant_id"
  version         = "2.0.0"
  features {}
}

resource "azurerm_resource_group" "rg" {
  name     = "aks-resource-group"
  location = "West Europe"
}

但是错误是这样的

│ Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 4f5e5cf8-0892-4d5e-8ac7-7646d91c2d00\r\nCorrelation ID: 5b25c027-0a8f-4c2f-a5d0-05a169afde02\r\nTimestamp: 2021-09-16 12:01:26Z\",\"error_codes\":[7000215],\"timestamp\":\"2021-09-16 12:01:26Z\",\"trace_id\":\"4f5e5cf8-0892-4d5e-8ac7-7646d91c2d00\",\"correlation_id\":\"5b25c027-0a8f-4c2f-a5d0-05a169afde02\",\"error_uri\":\"https://login.microsoftonline.com/error?code=7000215\"}", resp:(*http.Response)(0xc0007aa000)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net/9ff0ada9-0070-48c3-bbdf-2655fe1387e6/servicePrincipals?%24filter=appId+eq+%278a10de4a-2cf6-42f6-91ca-7fc93ce89a5b%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc0007aa000)}
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 6, in provider "azurerm":
│    6: provider "azurerm" {

我本地安装的 terraform 版本是 Terraform v1.0.5。我本地的 azure 版本是

{
  "azure-cli": "2.27.2",
  "azure-cli-core": "2.27.2",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
}

这是什么原因

Answer 1

另一种解决方案是使用 CLI 命令创建服务主体：az ad sp create-for-rbac --sdk-auth 在设置要创建的订阅后，使用此命令供 terraform 使用：az account set -s your subID.

因此，作为输出，您将获得需要在 terraform 中使用的所有详细信息。

根据收到的上述信息，您可以在脚本中使用如下所示的详细信息：

provider "azuread" {

}

provider "azurerm" {
  subscription_id = "948d4068-xxxx-xxxxx-xxxxx-xxxxx"
  client_id       = "de461fde-xxxx-xxxx-xxxxxx"
  client_secret   = "ThZZqKQ7wxxxxxxxxxxxxxxxx"
  tenant_id       = "72f988bf--xxxx-xxxx-xxxx-xxxxxxx"
  features {}
}

resource "azurerm_resource_group" "rg" {
  name     = "aks-resource-group"
  location = "West Europe"
}

Answer 2

我看到你有一个错误“提供了无效的客户端密码”。

确保您使用的是客户端密码值而不是 Terraform 代码中的客户端密码 ID。

provider "azurerm" {
  client_secret   = "..."
}

或者尝试创建一个新的客户端密钥，看看是否可行。

https://docs.microsoft.com/en-us/answers/questions/370508/getting-34invalid-client-secret-is-provided34-erro.html

AZURE Terraform 服务主体身份验证错误

AZURE Terraform Service Principal authentication Error

azure

terraform

azure-resource-group

terraform-provider-azure