将 Azure 服务角色分配为服务主体
Assigning Azure service roles as a Service Principal
我创建了一个具有以下访问权限的服务主体:
Contributor 订阅角色Global administrator AAD 租户角色- 同意 Microsoft Graph API 权限:
- Group.Read.All
- User.Read.All
在使用此 SP 进行身份验证时,我正在尝试将 Azure 服务角色分配给 AAD 组。例如:
resource "azurerm_role_assignment" "storage_account_admin" {
scope = azurerm_storage_account.my_storage.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azuread_group.my_group.object_id
}
尝试应用它时,Terraform 从 Azure 抛出授权错误:
The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid. If access was recently granted, please refresh your credentials.
我可以使用我的用户 Azure 帐户创建此资源,该帐户具有 Owner 角色。我是否需要将我的服务委托人提升到 Owner——这似乎有点危险——或者是否有更具体的方法来解决这个问题?
您收到此错误的原因是 Contributor 角色不包含 authorization 相关权限,如角色分配。
要修复此错误,请将 Owner 角色分配给您的服务主体,或将 User Access Administrator 角色添加到服务主体。
我创建了一个具有以下访问权限的服务主体:
Contributor订阅角色Global administratorAAD 租户角色- 同意 Microsoft Graph API 权限:
- Group.Read.All
- User.Read.All
在使用此 SP 进行身份验证时,我正在尝试将 Azure 服务角色分配给 AAD 组。例如:
resource "azurerm_role_assignment" "storage_account_admin" {
scope = azurerm_storage_account.my_storage.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azuread_group.my_group.object_id
}
尝试应用它时,Terraform 从 Azure 抛出授权错误:
The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid. If access was recently granted, please refresh your credentials.
我可以使用我的用户 Azure 帐户创建此资源,该帐户具有 Owner 角色。我是否需要将我的服务委托人提升到 Owner——这似乎有点危险——或者是否有更具体的方法来解决这个问题?
您收到此错误的原因是 Contributor 角色不包含 authorization 相关权限,如角色分配。
要修复此错误,请将 Owner 角色分配给您的服务主体,或将 User Access Administrator 角色添加到服务主体。