使用Azure Java SDK创建服务主体失败 [英] Creating a service principal with the Azure java sdk fails
问题描述
我在stackoverflow上发布了这个问题(标题相同).但是我希望在这里能接触到更多的Azure专家.
I posted this question on stackoverflow (With the same title). But I am hoping to reach a wider audience of Azure experts here.
我正在尝试使用azure sdk创建服务主体.但是,我收到一个错误
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":权限不足,无法完成操作". ;}}}
我究竟做错了什么?我正在执行以下操作:
1.使用所有者"角色创建服务主体
az ad sp-rbac -n"OrbitTest5" --role所有者--sdk-auth
2.使用凭据通过java sdk创建服务主体
azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials());
final ServicePrincipal servicePrincipal =
.define(clusterId)
.withNewApplication("http://easycreate.azure.com/" + clusterId)
.definePasswordCredential("sppass")
.withPasswordValue("StrongPass!12")
.attach()
.create();
1.然后我得到一个例外.我知道我的凭据是有效的,因为我可以使用sdk创建资源组并从Azure Web控制台查看它.
com.microsoft.azure.management.graphrbac.GraphErrorException:状态代码403,{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en" ,值":不足"
权限来完成操作."}}}
在sun.reflect.NativeConstructorAccessorImpl.newInstance0(本机方法)
在sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
在sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
在java.lang.reflect.Constructor.newInstance(Constructor.java:423)
在com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122)
在com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder.java:56)
在com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createDelegate(ApplicationsInner.java:194)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.access $ 000(ApplicationsInner.java:45)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner $ 2.call(ApplicationsInner.java:181)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner $ 2.call(ApplicationsInner.java:177)
在rx.internal.operators.OnSubscribeMap $ MapSubscriber.onNext(OnSubscribeMap.java:69)
在retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120)
在retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102)
在retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:46)
在retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24)
在rx.Observable.unsafeSubscribe(Observable.java:10327)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
在rx.Observable.unsafeSubscribe(Observable.java:10327)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
在rx.Observable.unsafeSubscribe(Observable.java:10327)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
在rx.Observable.unsafeSubscribe(Observable.java:10327)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
在rx.Observable.unsafeSubscribe(Observable.java:10327)
在rx.internal.operators.OperatorSubscribeOn $ SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
在rx.internal.schedulers.CachedThreadScheduler $ EventLoopWorker $ 1.call(CachedThreadScheduler.java:230)
在rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
在java.util.concurrent.Executors $ RunnableAdapter.call(Executors.java:511)
在java.util.concurrent.FutureTask.run(FutureTask.java:266)
在java.util.concurrent.ScheduledThreadPoolExecutor $ ScheduledFutureTask.access $ 201(ScheduledThreadPoolExecutor.java:180)
在java.util.concurrent.ScheduledThreadPoolExecutor $ ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
在java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:624)
在java.lang.Thread.run(Thread.java:748)
I am trying to create a service principal using the azure sdk. However, I am receiving an error
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
What am I doing wrong? I am doing the following:
1. Create a service principal with the Owner role
az ad sp create-for-rbac -n "OrbitTest5" --role Owner --sdk-auth
2. Use the credentials to create a service principal with the java sdk
azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials());
final ServicePrincipal servicePrincipal =
azureAuthClient.servicePrincipals()
.define(clusterId)
.withNewApplication("http://easycreate.azure.com/" + clusterId)
.definePasswordCredential("sppass")
.withPasswordValue("StrongPass!12")
.attach()
.create();
1. Then I get an exception. I know my credentials are valid because I am able to create a resource group with the sdk and view it from the Azure web console.
com.microsoft.azure.management.graphrbac.GraphErrorException: Status code 403, {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient
privileges to complete the operation."}}}
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122)
at com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder.java:56)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createDelegate(ApplicationsInner.java:194)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.access$000(ApplicationsInner.java:45)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner.java:181)
at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner.java:177)
at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69)
at retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120)
at retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102)
at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:46)
at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
at rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:230)
at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
推荐答案
com.microsoft.azure.management.graphrbac.GraphErrorException: Status code 403, {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
为了解决此问题,您需要提供对Azure Active Directory中这两个API之一的访问.请转到所需权限"刀片在应用程序注册之下,并提供对"Windows Azure Active Directory"的访问; 如果使用Azure AD Graph API或"Microsoft Graph";如果您使用的是Microsoft Graph.所需的权限是读取和写入目录数据".和读取和写入应用程序".请确保点击授予权限" 保存后.
In order to fix this issue you need to provide access to either of these two API's in Azure Active Directory. Please go to "required permissions" blade under the application registrations and provide access to "Windows Azure Active Directory" if using Azure AD Graph API or "Microsoft Graph" if you using Microsoft Graph. Permissions required are "Read and Write Directory Data" and "Read and Write Applications". Please make sure to click on "Grant Permissions" after saving it.Please let me know if this helps to resolve your issue
这篇关于使用Azure Java SDK创建服务主体失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
