如何在Pulumi中的Azure AD中获得组? [英] How to get Group in Azure AD in Pulumi?

问题描述

我正在尝试在Azure AD中建立一个小组.

I'm trying to get a group in the Azure AD.

var group = Output.Create(
    GetGroup.InvokeAsync(
        new GetGroupArgs
        {
            Name = "Administrators"
        }));

PS C:\dev\___> pulumi preview
Previewing update (dev):
     Type                 Name          Plan     Info
     pulumi:pulumi:Stack  Frontend-dev           1 error

Diagnostics:
  pulumi:pulumi:Stack (Frontend-dev):
    error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
    Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here:

    Alternatively you can authenticate using the Azure CLI by using a User Account.")
       at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
       at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
       at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
       at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
       at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
       at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
       at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
       at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
       at Pulumi.Deployment.Runner.WhileRunningAsync()

Pulumi.dev.yaml包含服务主体凭据.

我按照说明创建服务主体并使用适当的权限对其进行配置.

该错误消息讨论了一些说明:

The error message talks about some instructions:

要使用服务主体向Azure进行身份验证，可以使用单独的使用服务主体进行身份验证" auth方法-有关说明，可在此处找到:<-无链接

To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: <- No link

任何人都可以帮助我找到这些说明，以便我整理出我可能错过的内容吗?

Can anyone help me find those instructions so that I can sort out what I may have missed?

推荐答案

在文档中的某些地方，我们被要求通过pulumi config set azure:*命令将凭据放入Pulumi.<stack>.yml中，这使我相信这应该足够了

Somewhere in the documentation, we're asked to put the credentials in the Pulumi.<stack>.yml via pulumi config set azure:* commands which led me to believe that that should be enough.

问题是Pulumi.Azure将在azure命名空间中查找设置，而Pulumi.AzureAD将在azuread命名空间中查找相同设置.

The thing is Pulumi.Azure will look for the settings in the azure namespace but Pulumi.AzureAD will look for the same settings in the azuread namespace.

所以我们不仅需要这个:

So we not only need this:

pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"

但是我们还需要运行以下内容:

But we also need run the below:

pulumi config set azuread:clientId "00000000000000000000000"
pulumi config set azuread:clientSecret "00000000000000000000000" --secret
pulumi config set azuread:tenantId "00000000000000000000000"
pulumi config set azuread:subscriptionId "00000000000000000000000"

将为我们提供类似于以下内容的Pulumi.<stack>.yml:

Which will get us a Pulumi.<stack>.yml similar to this:

config:
  azure:clientId: 00000000000000000000000
  azure:clientSecret:
    secure: 00000000000000000000000000000000000000000000000XqZFM=
  azure:location: WestEurope
  azure:subscriptionId: 00000000000000000000000
  azure:tenantId: 00000000000000000000000
  azuread:clientId: 00000000000000000000000
  azuread:clientSecret:
    secure: 0000000000000000000000000000000000000000000000l3xbaY=
  azuread:subscriptionId: 00000000000000000000000
  azuread:tenantId: 00000000000000000000000

或者，您也可以在powershell中指定环境变量:

Alternatively, you may also specify environment variables in powershell:

$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"

这样做之后，我的Pulumi堆栈就能够成功检索Azure AD组对象ID.

After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.

github问题已解决.

这篇关于如何在Pulumi中的Azure AD中获得组?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！