如何在Pulumi中的Azure AD中获得组? [英] How to get Group in Azure AD in Pulumi?
问题描述
我正在尝试在Azure AD中建立一个小组.
I'm trying to get a group in the Azure AD.
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators"
}));
PS C:\dev\___> pulumi preview
Previewing update (dev):
Type Name Plan Info
pulumi:pulumi:Stack Frontend-dev 1 error
Diagnostics:
pulumi:pulumi:Stack (Frontend-dev):
error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here:
Alternatively you can authenticate using the Azure CLI by using a User Account.")
at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
at Pulumi.Deployment.Runner.WhileRunningAsync()
Pulumi.dev.yaml
包含服务主体凭据.
我按照说明创建服务主体并使用适当的权限对其进行配置.
该错误消息讨论了一些说明:
The error message talks about some instructions:
要使用服务主体向Azure进行身份验证,可以使用单独的使用服务主体进行身份验证" auth方法-有关说明,可在此处找到:<-无链接
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: <- No link
任何人都可以帮助我找到这些说明,以便我整理出我可能错过的内容吗?
Can anyone help me find those instructions so that I can sort out what I may have missed?
推荐答案
在文档中的某些地方,我们被要求通过pulumi config set azure:*
命令将凭据放入Pulumi.<stack>.yml
中,这使我相信这应该足够了
Somewhere in the documentation, we're asked to put the credentials in the Pulumi.<stack>.yml
via pulumi config set azure:*
commands which led me to believe that that should be enough.
问题是Pulumi.Azure
将在azure
命名空间中查找设置,而Pulumi.AzureAD
将在azuread
命名空间中查找相同设置.
The thing is Pulumi.Azure
will look for the settings in the azure
namespace but Pulumi.AzureAD
will look for the same settings in the azuread
namespace.
所以我们不仅需要这个:
So we not only need this:
pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"
但是我们还需要运行以下内容:
But we also need run the below:
pulumi config set azuread:clientId "00000000000000000000000"
pulumi config set azuread:clientSecret "00000000000000000000000" --secret
pulumi config set azuread:tenantId "00000000000000000000000"
pulumi config set azuread:subscriptionId "00000000000000000000000"
将为我们提供类似于以下内容的Pulumi.<stack>.yml
:
Which will get us a Pulumi.<stack>.yml
similar to this:
config:
azure:clientId: 00000000000000000000000
azure:clientSecret:
secure: 00000000000000000000000000000000000000000000000XqZFM=
azure:location: WestEurope
azure:subscriptionId: 00000000000000000000000
azure:tenantId: 00000000000000000000000
azuread:clientId: 00000000000000000000000
azuread:clientSecret:
secure: 0000000000000000000000000000000000000000000000l3xbaY=
azuread:subscriptionId: 00000000000000000000000
azuread:tenantId: 00000000000000000000000
或者,您也可以在powershell中指定环境变量:
Alternatively, you may also specify environment variables in powershell:
$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"
这样做之后,我的Pulumi堆栈就能够成功检索Azure AD组对象ID.
After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.
这篇关于如何在Pulumi中的Azure AD中获得组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!