如何通过 Python SDK 创建 Azure 网络安全组

Question

I'm using Azure Python SDK to deploy Azure VM. I can create VM with Network Security Group without any issue via the Azure portal. However, I failed to create a Network Security Group by using API like:

async_nsg_create=network_client.network_security_groups.begin_create_or_update(
    GROUP_NAME,
    NSG_NAME,
    nsg_parameters
)

It always complains that I "does not have authorization to perform action 'Microsoft.Network/networkSecurityGroups/write'". However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group. I suspect I may have to create NSG via ResourceManagementClient, but I couldn't find any useful info in API doc: https://docs.microsoft.com/en-us/python/api/azure-mgmt-resource/azure.mgmt.resource.resourcemanagementclient?view=azure-python#models-api-version--2020-06-01--

I checked the solution in this issue: enter link description here , but failed at step: resource_client.providers.register('Microsoft.Compute') and it complains:"does not have authorization to perform action 'Microsoft.Compute/register/action'"

Answer 1

The error means your client does not have the permission to do the operations, you need to add it as an RBAC role in your resource group/subscription.

However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group.

In the portal, your are using the account logged in the portal, if you are using the code here , it uses the credentials of the service principal, it is different.

---

Here is a complete sample works for me, you follow the steps below.

1. Register an application with Azure AD and create a service principal .

2. Get values for signing in and create a new application secret .

3.Navigate to the resource group or the subscription -> Access control (IAM) -> Add -> add service principal of the AD App as an RBAC role eg Contributor , details follow this .

4.Then use the code below.

from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule

tenant_id = "<tenant-id>"
client_id = "<client-id>"
client_secret = "<client-secret>"
subscription_id = "<subscription-id>"

credential = ClientSecretCredential(tenant_id, client_id, client_secret)
network_client = NetworkManagementClient(credential, subscription_id)

resource_group_name = "<group-name>"
nsg_name = "testnsg"

nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())

5.Check in the portal:

Update:

If you want to use the user account, you just need to use AzureCliCredential .

1.Install the Azure CLI , then login your account with az login in a local terminal, eg powershell.

2.After login, change the code like below and run it.

from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule


subscription_id = "<subscription-id>"

credential = AzureCliCredential()
network_client = NetworkManagementClient(credential, subscription_id)

resource_group_name = "<group-name>"
nsg_name = "testnsg"

nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())