为什么我的服务主体不继承订阅的“所有者”的组角色分配? [英] Why doesn't my service principal inherit a subscription's group role assignment of "owner"?
问题描述
您好。我无法让服务主体继承组的角色分配。
我在Azure AD中创建了一个安全组,并将其分配给"所有者"。我订阅的角色,然后我创建了一个服务主体并将其添加到上述安全组。我本来希望能够使用服务主体,因为它是
订阅的所有者,但服务主体似乎没有任何访问权限< g class =" gr_ gr_49 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 49" id =" 49"> powershell< / g>。$
这是我的所作所为:
创建一个安全组
- 进入订阅并分配"所有者"。组$
- 创建服务主体和访问密钥
- 向安全组添加服务主体
- 连接到Azure < g class =" gr_ gr_46 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 46" ID = QUOT; 46">&的powershell LT; / g取代;使用服务主体的凭证
- 尝试运行Get-AzSubscription
完成后,Get-中没有列出订阅AzSubscription输出。
这是< g class =" gr_ gr_47 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 47" ID = QUOT; 47">&的powershell LT; / g取代;命令我运行连接作为服务主体:
Connect-< g class =" gr_ gr_48 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace"数据-GR-ID =" 48英寸; ID = QUOT; 48英寸;> AzAccount< / g取代; -ServicePrincipal -Credential(Get-Credential)-TenantId
$ myTenantId
在Get-Credential弹出窗口中,我输入了服务主体的应用程序ID,服务主管在密码中的密钥。
PS:我很抱歉格式出错了。尽管我最好尝试重新编辑此帖子以删除标记,但我认为WYSIWYG编辑器会自动在关键字周围添加标签。
你好Josh,
我按照你所遵循的确切步骤我能够看到我的订阅。
++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++凭证(Get-Credential)-Tenant abcdef-e674-4de5-a600-15459e0091a4
cmdlet命令管道位置的Get-Credential 1
以下参数的供应值:
警告:提供的服务主要秘密将包含在
用户配置文件中的"AzureRmContext.json"文件中(C:\ Users \ karedd \\ \\ .Azure)。请确保此目录有适当的保护。
帐户 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; SubscriptionName&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; TenantId&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;环境与NBSP; &NBSP;
&NBSP;
------- &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ----------------&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; --------&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;
&NBSP; &NBSP; &NBSP; &NBSP; ----------
$
0ba96e8e-055d-49f Visual Studio Enterprise 1a74ee17-e674-4de5-a600 &NBSP; AzureCloud
++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++表明我有权访问此订阅。然后我运行了Get-AzSubscription命令,我能够提取子细节
++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Get-Azsubscription | fl
$
Id &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :cfadfDFDFDEA
姓名 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :Visual Studio Enterprise
状态 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :已启用
SubscriptionId &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :DSFCASDSASD
TenantId &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :SDASDSDSADSADSADSADSA
CurrentStorageAccountName:
ExtendedProperties &NBSP; &NBSP; &NBSP; :{[帐户,SDASDSDAS,[租户,1FSDFD],[环境,AzureCloud]}
++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++
您可以从Azure门户查看>订阅> IAM(访问控制)>检查"访问"选项卡?
您可以输入服务主体名称,然后检查服务主体是否具有所有者访问权限?
Hi. I'm having trouble getting a service principal to inherit a group's role assignment.
I've created a security group in Azure AD and assigned it the "Owner" role for my subscription, then I created a service principal and added it to the aforementioned security group. I was expecting to be able to use the service principal like it was
an owner of the subscription, but the service principal seems not to have any access through <g class="gr_ gr_49 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="49" id="49">powershell</g>.
Here's what I did:
Created a security group
- Went into the subscription and assigned "Owner" to the group
- Created a service principal and an access key
- Added the service principal to the security group
- Connected to Azure with <g class="gr_ gr_46 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="46" id="46">powershell</g> using the service principal's credentials
- Attempted to run Get-AzSubscription
After doing as much, there is no subscription listed in the Get-AzSubscription output.
Here's the <g class="gr_ gr_47 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="47" id="47">powershell</g> command I ran to connect as the service principal:
Connect-<g class="gr_ gr_48 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="48" id="48">AzAccount</g> -ServicePrincipal -Credential (Get-Credential) -TenantId
$myTenantId
In the Get-Credential popup, I entered the application id of the service principal and the service principal's key in the password.
PS: I'm very sorry about the formatting going awry. Despite my best attempts to re-edit this post to remove the markup, I think the WYSIWYG editor is automatically adding tags around keywords.
Hello Josh,
I followed the exact steps you followed and I am able to see my subscription.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Connect-AzAccount -ServicePrincipal -Credential (Get-Credential) -Tenant abcdef-e674-4de5-a600-15459e0091a4
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the
user profile ( C:\Users\karedd\.Azure ). Please ensure that this directory has appropriate protections.
Account SubscriptionName TenantId Environment
------- ---------------- -------- ----------
0ba96e8e-055d-49f Visual Studio Enterprise 1a74ee17-e674-4de5-a600 AzureCloud+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As soon as I authenticate , the output shows that I have access to this subscription. I then ran the Get-AzSubscription command and I was able to pull the sub details
+++++++++++++++++++++++++++++++++++++++++++++++++
PS C:\WINDOWS\system32> Get-Azsubscription | fl
Id : cfadfDFDFDEA
Name : Visual Studio Enterprise
State : Enabled
SubscriptionId : DSFCASDSASD
TenantId : SDASDSDSADSADSADSADSA
CurrentStorageAccountName :
ExtendedProperties : {[Account, SDASDSDAS, [Tenants, 1FSDFD], [Environment, AzureCloud]}+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Can you check from the Azure Portal > subscriptions > IAM (Access Control) > Check Access tab ?
You can enter the service principal name and then check if the service principal has the owner access ?
这篇关于为什么我的服务主体不继承订阅的“所有者”的组角色分配?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!