[英]How to assign read write permissions to an AD application to manage resources using resource management api with Azure java sdk
I am trying to connect to Azure Resource Manager API
using java
sdk. 我正在尝试使用
java
sdk连接到Azure Resource Manager API
。 I have an AD application which has "Windows Service Management API" permissions enabled. 我有一个启用了“ Windows服务管理API”权限的AD应用程序。 When running the test samples, I am hitting the following error when performing get call on a specific resource group.
运行测试样本时,在特定资源组上执行get调用时遇到以下错误。
Exception in thread "main" com.microsoft.windowsazure.exception.ServiceException: AuthorizationFailed: The client '1111-5a7b-4384-9fee-3a593a8c6875' with object id '1111115-5a7b-4384-9fee-3a593a8c6875' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/zzzzzzzzzzzz-ae67-ed0926abfe0d/resourcegroups/Group'.
at com.microsoft.windowsazure.exception.ServiceException.createFromJson
How to assign read write permissions to the application in an AD which is used to connect to resource management API
? 如何在用于连接到资源管理
API
的AD中为应用程序分配读写权限?
As @Gaurav Mantri said, the easiest way for assigning reader role for your ad app is using Azure Preview Portal if runing the sample ServicePrincipalExample
at https://github.com/Azure/azure-sdk-for-java/blob/master/azure-mgmt-samples/src/main/java/com/microsoft/azure/samples/authentication/ServicePrincipalExample.java . 正如@Gaurav Mantri所说,如果在https://github.com/Azure/azure-sdk-for-java/blob/master/运行示例
ServicePrincipalExample
,则为广告应用分配读者角色的最简单方法是使用Azure预览门户。 azure-mgmt-samples / src / main / java / com / microsoft / azure / samples / authentication / ServicePrincipalExample.java 。
For complete details to do it, please see below. 有关执行此操作的完整详细信息,请参见下文。
According to the picture above, the steps as follow: 根据上图,步骤如下:
Resource groups
. Resource groups
。 settings
button. settings
按钮。 Users
button. Users
按钮。 Add
button. Add
按钮。 Select a role
and select the Reader
role. Select a role
然后选择“ Reader
角色。 Add users
botton, input the ad app name in the search field and select the ad app to click the select
button. Add users
按钮,在搜索字段中输入广告应用名称,然后选择广告应用以单击select
按钮。 OK
button in the Add access
tab page. Add access
选项卡页面中,单击OK
按钮。 Now, you can run the sample again that return the correct result without errors. 现在,您可以再次运行该示例,该示例将返回正确的结果而不会出现错误。
Beside Azure PowerShell, you can also use the Azure CLI to do it. 除了Azure PowerShell,您还可以使用Azure CLI来执行此操作。
azure login
azure login
azure config mode arm
azure config mode arm
azure role assignment create --objectId <objectId> -o Reader -c /subscriptions/<subscriptionId>/>
. azure role assignment create --objectId <objectId> -o Reader -c /subscriptions/<subscriptionId>/>
。 Note: For the object Id, you can run
azure ad sp show --search <ad-app-name>
to show it.注意:对于对象ID,您可以运行
azure ad sp show --search <ad-app-name>
进行显示。
Then, run the sample again without errors. 然后,再次运行该示例,而不会出现错误。
What you would need to do is assign your application Reader
role in your Azure Subscription. 您需要做的是在Azure订阅中分配应用程序
Reader
角色。 This you could do programmatically using ARM API or you could use Azure PowerShell
to do that. 您可以使用ARM API以编程方式进行此操作,也可以使用
Azure PowerShell
进行此操作。
However the easiest for you would be to assign role using Azure Preview Portal
. 但是,最简单的方法是使用
Azure Preview Portal
分配角色。 You may find this link useful for assigning roles using Preview Portal: https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/ . 您可能会发现此链接对于使用预览门户分配角色很有用: https : //azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/ 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.