堆棧內存溢出
  簡體   English   中英

Azure自動化:來自不同租戶的服務主體帳戶進行身份驗證,但不返回服務主體

[英]Azure Automation: Service Principal account from different tenant authenticates but doesn't return service principal

 原文  2018-06-05 03:47:28       azure/ azure-powershell/ azure-automation/ azure-rm

問題描述

我在其他租戶的訂閱上執行運行手冊時遇到問題。

到目前為止,這是我所做的:

1)創建了一個密鑰庫證書。
2)導出證書的.cer和.PFX。
3)在rpgorch-aad帳戶(300eab96-4619-4b6b-af42-8eb66506ab04)上創建了服務主體
4)使用該服務主體的信息在Automation中創建一個連接
5)將受密碼保護的PFX上傳到自動化證書存儲

首先,來自同一租戶的工作示例: 

    $connectionName = 'AzureRunasConnection'
"Getting Azure Connection $connectionName"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName         
"Logging in to Azure using Add-AzureRmAccount"
Add-AzureRmAccount -ServicePrincipal `
    -Tenant $servicePrincipalConnection.TenantID `
    -ApplicationId $servicePrincipalConnection.ApplicationId `
    -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -Verbose

"Setting Context with Set-AzureRmContext"
Set-AzureRmContext -Tenant $servicePrincipalConnection.TenantID -SubscriptionId $servicePrincipalConnection.SubscriptionId -Verbose
"Writing Output of the Service Principal Connection"
 write-output $servicePrincipalConnection

"Testing getting resource groups."
Get-AzureRmResourceGroup

結果: 

Getting Azure Connection AzureRunasConnection  
Logging in to Azure using Add-AzureRmAccount  

PSComputerName        : localhost  
PSSourceJobInstanceId : Redacted  
Environments          : {AzureCloud, AzureChinaCloud, AzureUSGovernment}  
Context               : Microsoft.Azure.Commands.Profile.Models.PSAzureContext  

Setting Context with Set-AzureRmContext  
PSComputerName        : localhost  
PSSourceJobInstanceId : Redacted  
Account               : Redacted  
Environment           : AzureCloud  
Subscription          : Redacted  
Tenant                : Redacted  

Writing Output of the Service Principal Connection  

Name                           Value                                                                                    
----                           -----                                                                                    
SubscriptionId                 Redacted                                                     
TenantId                       Redacted                                                     
ApplicationId                  Redacted                                                     
CertificateThumbprint          Redacted                                                 


Testing getting resource groups.

PSComputerName        : localhost  
PSSourceJobInstanceId : Redacted  
ResourceGroupName     : Redacted  
Location              : eastus  
Resources             :   
ResourcesTable        :   
ProvisioningState     : Succeeded  
Tags                  : {}  
TagsTable             :   
ResourceId            : /subscriptions/Redacted/resourceGroups/Redacted

現在是相同的代碼,但適用於其他租戶。 

$connectionName = 'Redacted'
"Getting Azure Connection"  
$connectionName

$Conn = Get-AutomationConnection -Name $connectionName 

"Logging in to Azure using Add-AzureRmAccount"
Add-AzureRmAccount -ServicePrincipal `
    -Tenant $Conn.TenantID `
    -ApplicationId $Conn.ApplicationId `
    -CertificateThumbprint $Conn.CertificateThumbprint -Verbose

"Setting Context with Set-AzureRmContext"
Set-AzureRmContext -Tenant $Conn.TenantID -SubscriptionId $Conn.SubscriptionId -Verbose

"Selecting subscriptionID "
$Conn.SubscriptionID
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID 

"Testing getting resource groups."
Get-AzureRmResourceGroup

結果: 

Getting Azure Connection
RPGOrchResourceManagement

Logging in to Azure using Add-AzureRmAccount

Results: 
PSComputerName        : localhost
PSSourceJobInstanceId : Redacted
Environments          : {AzureCloud, AzureChinaCloud, AzureUSGovernment}
Context               : Microsoft.Azure.Commands.Profile.Models.PSAzureContext

              Setting Context with Set-AzureRmContext
Set-AzureRmContext : Provided subscription Redacted does not exist
At ManageSingleVM:52 char:52
+ 
    + CategoryInfo          : CloseError: (:) [Set-AzureRmContext], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand

PSComputerName        : localhost
PSSourceJobInstanceId : Redacted
Environments          : {AzureCloud, AzureChinaCloud, AzureUSGovernment}
Context               : Microsoft.Azure.Commands.Profile.Models.PSAzureContext

              Setting Context with Set-AzureRmContext
Set-AzureRmContext : Provided subscription Redacted does not exist
At ManageSingleVM:52 char:52
+ 
    + CategoryInfo          : CloseError: (:) [Set-AzureRmContext], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand

1 個解決方案

解決方案1
 0 已采納  2018-06-07 02:56:27

我想出了答案。 對於其他用戶,我需要在Application ID上運行以下命令: 

        New-AzureRMRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $ApplicationId | Write-Verbose -ErrorAction SilentlyContinue

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 使用 PowerShell 獲取 Azure 自動化帳戶連接的服務主體 Azure服務負責人-帳戶已禁用? Azure - 創建具有租戶管理員權限的服務主體 從 Google 服務帳戶模擬 Azure 服務主體 在客戶帳戶的 Azure 中自動創建服務主體 Azure 自動化帳戶 - 如何使用自定義服務主體登錄而不是作為帳戶運行? 了解Azure服務主體 什么是 Azure 服務主體? Azure 服務主體名稱 azure中的服務主體監控
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM