[英]How to get Group in Azure AD in Pulumi?
我正在嘗試在 Azure AD 中建立一個組。
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators"
}));
PS C:\dev\___> pulumi preview
Previewing update (dev):
Type Name Plan Info
pulumi:pulumi:Stack Frontend-dev 1 error
Diagnostics:
pulumi:pulumi:Stack (Frontend-dev):
error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here:
Alternatively you can authenticate using the Azure CLI by using a User Account.")
at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
at Pulumi.Deployment.Runner.WhileRunningAsync()
Pulumi.dev.yaml
包含服務主體憑證。
我按照說明創建服務主體並使用適當的權限對其進行配置。
錯誤消息涉及一些說明:
要使用服務主體對 Azure 進行身份驗證,您可以使用單獨的“使用服務主體進行身份驗證”身份驗證方法 - 可在此處找到相關說明:<- 無鏈接
誰能幫我找到這些說明,以便我可以整理出我可能錯過的內容?
在文檔的某處,我們被要求通過pulumi config set azure:*
命令將憑據放入Pulumi.<stack>.yml
中,這讓我相信這應該足夠了。
問題是Pulumi.Azure
將在azure
命名空間中查找設置,但Pulumi.AzureAD
將在azuread
命名空間中查找相同的設置。
所以我們不僅需要這個:
pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"
但我們還需要運行以下命令:
pulumi config set azuread:clientId "00000000000000000000000"
pulumi config set azuread:clientSecret "00000000000000000000000" --secret
pulumi config set azuread:tenantId "00000000000000000000000"
pulumi config set azuread:subscriptionId "00000000000000000000000"
這將為我們提供一個類似於此的Pulumi.<stack>.yml
:
config:
azure:clientId: 00000000000000000000000
azure:clientSecret:
secure: 00000000000000000000000000000000000000000000000XqZFM=
azure:location: WestEurope
azure:subscriptionId: 00000000000000000000000
azure:tenantId: 00000000000000000000000
azuread:clientId: 00000000000000000000000
azuread:clientSecret:
secure: 0000000000000000000000000000000000000000000000l3xbaY=
azuread:subscriptionId: 00000000000000000000000
azuread:tenantId: 00000000000000000000000
或者,您也可以在 powershell 中指定環境變量:
$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"
之后,我的 Pulumi 堆棧能夠成功檢索 Azure AD 組 object id。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.