[英]How to create Azure Network Security Group via Python SDK
I'm using Azure Python SDK to deploy Azure VM.我正在使用 Azure Python SDK 来部署 Azure VM。 I can create VM with Network Security Group without any issue via the Azure portal.
我可以通过 Azure 门户毫无问题地使用网络安全组创建 VM。 However, I failed to create a Network Security Group by using API like:
但是,我无法使用以下 API 创建网络安全组:
async_nsg_create=network_client.network_security_groups.begin_create_or_update(
GROUP_NAME,
NSG_NAME,
nsg_parameters
)
It always complains that I "does not have authorization to perform action 'Microsoft.Network/networkSecurityGroups/write'".它总是抱怨我“无权执行‘Microsoft.Network/networkSecurityGroups/write’操作”。 However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group.
但是,我可以通过 Azure 门户通过单击“创建资源”或在资源组中添加新源来创建网络安全组。 I suspect I may have to create NSG via ResourceManagementClient, but I couldn't find any useful info in API doc: https://docs.microsoft.com/en-us/python/api/azure-mgmt-resource/azure.mgmt.resource.resourcemanagementclient?view=azure-python#models-api-version--2020-06-01--
我怀疑我可能必须通过 ResourceManagementClient 创建 NSG,但我在 API 文档中找不到任何有用的信息: https : //docs.microsoft.com/en-us/python/api/azure-mgmt-resource/azure。 mgmt.resource.resourcemanagementclient?view=azure-python#models-api-version--2020-06-01--
I checked the solution in this issue: enter link description here , but failed at step: resource_client.providers.register('Microsoft.Compute')
and it complains:"does not have authorization to perform action 'Microsoft.Compute/register/action'"我检查了这个问题的解决方案: 在此处输入链接描述,但在步骤失败:
resource_client.providers.register('Microsoft.Compute')
并且它抱怨:“没有授权执行操作'Microsoft.Compute/register/action '"
The error means your client does not have the permission to do the operations, you need to add it as an RBAC role in your resource group/subscription.该错误表示您的客户端没有执行操作的权限,您需要将其添加为资源组/订阅中的 RBAC 角色。
However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group.
但是,我可以通过 Azure 门户通过单击“创建资源”或在资源组中添加新源来创建网络安全组。
In the portal, your are using the account logged in the portal, if you are using the code here , it uses the credentials of the service principal, it is different.在门户中,您使用的是登录门户的帐户,如果您使用此处的代码,则它使用服务主体的凭据,这是不同的。
Here is a complete sample works for me, you follow the steps below.这是适合我的完整示例,您可以按照以下步骤操作。
1. Register an application with Azure AD and create a service principal . 1. 向 Azure AD 注册应用程序并创建服务主体。
2. Get values for signing in and create a new application secret . 2. 获取登录值并创建新的应用程序密钥。
3.Navigate to the resource group or the subscription -> Access control (IAM)
-> Add
-> add service principal of the AD App as an RBAC role eg Contributor
, details follow this . 3.Navigate到资源组或订阅- >
Access control (IAM)
- > Add
- >的AD应用程序作为RBAC角色例如附加服务主要Contributor
,细节如下这样。
4.Then use the code below. 4.然后使用下面的代码。
from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule
tenant_id = "<tenant-id>"
client_id = "<client-id>"
client_secret = "<client-secret>"
subscription_id = "<subscription-id>"
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
network_client = NetworkManagementClient(credential, subscription_id)
resource_group_name = "<group-name>"
nsg_name = "testnsg"
nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())
5.Check in the portal: 5.登录门户:
Update:更新:
If you want to use the user account, you just need to use AzureCliCredential
.如果要使用用户帐户,只需使用
AzureCliCredential
。
1.Install the Azure CLI , then login your account with az login
in a local terminal, eg powershell. 1.安装Azure CLI ,然后在本地终端(例如powershell)中使用
az login
登录您的帐户。
2.After login, change the code like below and run it. 2.登录后,更改如下代码并运行它。
from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule
subscription_id = "<subscription-id>"
credential = AzureCliCredential()
network_client = NetworkManagementClient(credential, subscription_id)
resource_group_name = "<group-name>"
nsg_name = "testnsg"
nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.