[英]With MS Graph API, how do I force my programmatically created Service Principals, MSIs, and IaC code to be scoped to my subscription only?
Active Directory Graph API is now fully deprecated, in favor of MS Graph API. Active Directory Graph API 现已完全弃用,取而代之的是 MS Graph API。
My company has given me my own Visual Studio Professional subscription.我的公司为我提供了自己的 Visual Studio Professional 订阅。 I also have a DevOps organization.
我还有一个 DevOps 组织。 I am the Owner role in both.
我是两者的所有者角色。
with AADG API, I could use Terraform, for example, to create Service Principals and manage roles.使用 AADG API,我可以使用 Terraform,例如,创建服务主体和管理角色。 Service Connections in DevOps were scoped to my subscription.
DevOps 中的服务连接仅限于我的订阅。
Example:例子:
## These are in my resource group
...
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
...
resource "azurerm_role_assignment" "kubweb_to_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id
}
This used to work great.这曾经很好用。 Now it does not.
现在它没有。 Now I get errors like:
现在我收到如下错误:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '3520c717-e1cc-4d0b-b021-2f93a1b05d80' with object id '3520c717-e1cc-4d0b-b021-2f93a1b05d80' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write
and和
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
Even though I own my subscription, there is a parent organization above me.尽管我拥有我的订阅,但在我之上有一个上级组织。 My SPs get scoped to their AD where I can't manage them.
我的 SP 仅限于我无法管理的 AD。 I can't use "Grant Admin Consent" through MS Graph API. Also, in DevOps, when I create an ARM Service Connection, for example, I scope it to my Subscription.
我无法通过 MS Graph API 使用“Grant Admin Consent”。另外,在 DevOps 中,当我创建 ARM 服务连接时,例如,我将它 scope 到我的订阅。 It never scopes to my subscription, but the parent's, and I can't change its permissions.
它从不限定我的订阅范围,而是父订阅的范围,我无法更改其权限。
How do I alter my development or scope my resources so that I don't have to defer to parent organization?我如何改变我的发展或 scope 我的资源,这样我就不必服从上级组织?
What role do they need to give me so I don't have to involve them?他们需要给我什么角色,这样我就不必让他们参与进来?
I'm already the owner of my subscription.我已经是订阅的所有者。 How do I create these types of resources in a way that I have full control over managing them again?
我如何以完全控制再次管理它们的方式创建这些类型的资源?
Side-note, it's interesting.旁注,这很有趣。 I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources.
我可以使用 Azure CLI 并通过终端运行相同的命令,而且我可以毫无问题地创建或更改资源。 The same commands
az ad sp create-for-rbac
don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.相同的命令
az ad sp create-for-rbac
根本不会引发任何错误,并且它使用相同的权限和管道中定义的 scope。
Both errors you show are due to the service principal that Terraform is running as has not been authorized to perform the action in question.您显示的两个错误都是由于 Terraform 正在运行的服务主体未被授权执行相关操作。 (From the Azure role assignment error, we can know this is the service principal with object ID "3520c717-e1cc-4d0b-b021-2f93a1b05d80".)
(从Azure角色分配错误,我们可以知道这是object ID为“3520c717-e1cc-4d0b-b021-2f93a1b05d80”的服务主体。)
How do I alter my development or scope my resources so that I don't have to defer to parent organization?
我如何改变我的发展或 scope 我的资源,这样我就不必服从上级组织?
You could have an entirely separate Azure AD tenant (where you'd be administrator), and point the Azure subscription to trust that tenant.您可以拥有一个完全独立的 Azure AD 租户(您将成为管理员),并将 Azure 订阅指向信任该租户。 This may or may not be compatible with your organization's policies and practices.
这可能符合也可能不符合您组织的政策和惯例。
I'm already the owner of my subscription.
我已经是订阅的所有者。 How do I create these types of resources in a way that I have full control over managing them again?
我如何以完全控制再次管理它们的方式创建这些类型的资源?
Azure AD applications and service principals are not a part of your Azure subscription, they're in the "parent" Azure AD tenant. Azure AD 应用程序和服务主体不是您的 Azure 订阅的一部分,它们在“父”Azure AD 租户中。 You (the user) probably do have permission over these objects (eg you're owner of them in Azure AD), but Terraform isn't running as you—it's running as a separate service principal.
您(用户)可能确实拥有这些对象的权限(例如,您在 Azure AD 时是它们的所有者),但是 Terraform 并不像您一样运行——它作为单独的服务主体运行。
Side-note, it's interesting.
旁注,这很有趣。 I can use Azure CLI and run the same commands via terminal, and I have no problems creating or altering resources.
我可以使用 Azure CLI 并通过终端运行相同的命令,而且我可以毫无问题地创建或更改资源。 The same commands az ad sp create-for-rbac don't throw any errors at all, and it's using the same permissions and scope defined in the pipelines.
相同的命令 az ad sp create-for-rbac 根本不会引发任何错误,并且它使用相同的权限和管道中定义的 scope。
You're probably connecting to Azure CLI as yourself (ie your user account), instead of the service principal Terraform is using.您可能以您自己的身份(即您的用户帐户)连接到 Azure CLI,而不是 Terraform 正在使用的服务主体。 If you connect to Azure CLI using the same service principal (eg
az login --service-principal...
), you'd likely experience the same errors, because that service principal hasn't been granted privileges over the Azure AD tenant and the Azure subscription yet.如果您使用相同的服务主体(例如
az login --service-principal...
)连接到 Azure CLI,您可能会遇到相同的错误,因为该服务主体尚未被授予对 Azure AD 租户的特权,并且Azure 订阅还没。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.