[英]Permissions to change Azure VM Local Admin Password using App Registration
我找到了这个答案,作者在其中展示了如何更改 VM 上的本地管理员密码。 我想知道如何使用 Active Directory 中的应用注册帐户发出此请求调用。 我需要(以及如何)授予此应用注册什么权限?
我正在使用 MSAL 来获取这样的访问令牌(在 Python 中):
def az_get_access_token(client_id, authority, secret, default_scope):
# Create a preferably long-lived app instance which maintains a token cache.
app = msal.ConfidentialClientApplication(
client_id,
authority=authority,
client_credential=secret,
# token_cache=... # Default cache is in memory only.
# To learn how to use SerializableTokenCache from
# https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
)
# Get access token
result = app.acquire_token_silent(scopes=[default_scope], account=None)
if not result:
logging.debug("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=[default_scope])
if 'access_token' not in result:
logging.error('Azure error: %s, description: %s' % (result['error'], result['error_description']))
raise Exception
access_token = result['access_token'] # JWT access token
return access_token
然后像这样调用 rest:
access_token = az_get_access_token(client_id, authority, app_secret, default_scope)
vm_pwd_change_payload = {
'properties': {
'publisher': 'Microsoft.Compute',
'type': 'VMAccessAgent',
'typeHandlerVersion': '2.0',
'autoUpgradeMinorVersion': True,
'settings': {
'UserName': local_admin_user_name
},
'protectedSettings': {
'Password': local_admin_new_password
}
},
'location': "West US"
}
vm_pwd_update_change_resp = requests.put(
'https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s?api-version=2020-12-01' % (subscriptionId, resourceGroupName, vmName),
headers={
'Authorization': 'Bearer ' + access_token,
'Content-Type': 'application/json'
},
data=json.dumps(vm_pwd_change_payload)
)
if not vm_pwd_update_change_resp.ok:
print("Reason: %s" % vm_pwd_update_change_resp.reason)
print("\t%s" % vm_pwd_update_change_resp.text)
else:
print("CHANGED!!!!!!")
(另外,不确定在scope
中authority
什么)
Set https://login.microsoftonline.com/{teannt id}
as the authority
and https://management.azure.com/.default
as the scope
.
对于权限,由于应用注册中Azure rest API的应用权限不可用(它是灰色的),我们可以为应用注册帐户分配RBAC角色。 详细步骤在这里。
找到 VM -> Access Control -> Add -> Add role assignment -> select 一个角色(例如Contributor )并输入您的 App Registration 的名称。
As you found, after that you have to change URL to the following: https://management.azure.com/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s/extensions/enablevmaccess?api-version=2020-12-01
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.