az acr list - 永远不会返回服务主体的任何值
[英]az acr list - never returns any value for service principal
问题描述
I have an existing service principal, to which I assign the "acrpull" role for a newly crated ACR. 
我有一个现有的服务主体,我为新装箱的ACR分配了“acrpull”角色。 I do this by the command: 我通过命令执行此操作:
az role assignment create --assignee {application id} --role acrpull --scope {id value as returned by the command az acr list}
I get the response: 我收到了回复:
The role assignment already exists.
Now, I login with my service principal credentials: 现在,我使用我的服务主体凭据登录:
az login --service-principal -u {application id} -p {password} --tenant {tenant ID}
Now if I execute: az acr list, I expect to see my ACR listed. 现在,如果我执行:az acr list,我希望看到我的ACR列出。 Instead I always see '[]' . 相反,我总是看到'[]' 。 Any idea, what might be the issue? 任何想法,可能是什么问题?
2 个解决方案
解决方案1
0 2019-04-26 20:24:41
You are specifying the app id as the --assignee when you should specify the user/group and not specifying the --scope parameter, which is where you'd pass your app id in the form of /subscriptions/1234/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerRegistry/registries/MyRegistry. 当您指定用户/组而不指定--scope参数时,您将应用程序ID指定为--assignee,这是您以/ subscriptions / 1234 / resourceGroups / MyResourceGroup的形式传递应用程序ID的位置/providers/Microsoft.ContainerRegistry/registries/MyRegistry。 Have a look at the parameters here . 看看这里的参数。
This is more intuitive in the portal. 这在门户网站中更直观。
解决方案2
0 2019-04-27 15:24:33
that is because you need read permission to list resources, you only have permission to pull images from ACR, not read it. 这是因为您需要读取权限才能列出资源,您只有从ACR中提取图像的权限,而不是读取它。 should you attempt to pull image from that ACR using this credential - it would work. 如果您尝试使用此凭据从该ACR中提取图像 - 它会起作用。 if you want to list them - assign read permissions to that ACR. 如果要列出它们 - 为该ACR分配读取权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.