Azure AD - 以编程方式创建新的Service Principal [英] Azure AD - create a new Service Principal programmatically
问题描述
我正在编写一个python脚本来配置和配置Azure服务。我想提供一个新的服务主体作为我的脚本的一部分,但有权限问题。如果我在终端中运行此命令(在`azure login`之后),它将创建
服务主体:
I'm writing a python script to provision and configure Azure services. I would like to provision a new Service Principal as a part of my script but have issues with permissions. If I run this command in my terminal (after `azure login`), it will create the Service Principal:
`az ad sp create-for-rbac --name Testapp`
$
我想实现相同的目标,但是在我的python脚本中,我使用现有的服务主体进行资源配置。我正在拨打的电话如下:
$
```
电话(" az login --service-principal -u '%s'-p'%s' - '%'s'和"%(args.client_id,args.client_sec,args.tenant_id),shell = True)
call(") az ad sp create-for-rbac --name TestServicePrincipal",shell = True)
```
参数是凭证现有服务主体。这个服务主体已经是该订阅的"OWNER"。
`az ad sp create-for-rbac --name Testapp`
I want to achieve the same, but in my python script, where I'm using existing service principal for the resource provisioning. The calls I'm making are as follows:
```
call("az login --service-principal -u '%s' -p '%s' --tenant '%s'" % (args.client_id, args.client_sec, args.tenant_id), shell=True)
call("az ad sp create-for-rbac --name TestServicePrincipal", shell=True)
```
The arguments are the credentials of the existing service principal. This service principal is already `OWNER` of that subscription.
运行我的python脚本时,我确实登录得很好(也可以使用这些凭据我可以通过脚本配置一堆其他资源),但我在创建SP帐户时会收到权限错误,如下所示:
$
```$
协同效应git :(主人)✗pythontest.py -c'testcustomer'-l'eastus'-sid'1234'-ccs'1234'-cid'1234'-td'1234'
[
{
  "cloudName":"AzureCloud","
  "id":"1234","
  "isDefault":真实,
  "name":"免费试用",
  "state":"Enabled","
  "tenantId":" 1234",$
  "user":{
    "name":"1234","
    "type":" servicePrincipal"
  }¥b $ b }
]
更改"TestServicePrincipal"到有效的URI"http:// TestServicePrincipal",这是用于服务主体名称的必需格式
完成操作的权限不足。
```
任何建议都将受到高度赞赏!
When running my python script, I do login just fine (also with those credentials I can provision a bunch of other resources via the script), but I will get permission errors when creating the SP account as you can see here:
```
synergies git:(master) ✗ python test.py -c 'testcustomer' -l 'eastus' -sid '1234' -cs '1234' -cid '1234' -tid '1234'
[
{
"cloudName": "AzureCloud",
"id": "1234",
"isDefault": true,
"name": "Free Trial",
"state": "Enabled",
"tenantId": "1234",
"user": {
"name": "1234",
"type": "servicePrincipal"
}
}
]
Changing "TestServicePrincipal" to a valid URI of "http://TestServicePrincipal", which is the required format used for service principal names
Insufficient privileges to complete the operation.
```
Any advice will be highly appreciated!
推荐答案
Hello Peter,
Hello Peter,
服务主体需要目录级别的权限才能对目录对象执行操作。有两种分配权限的方法
The service principal needs permissions at the directory level to perform operations on directory objects. There are two ways of assigning permissions
1)使用Powershell命令将具有所需权限的现有角色(如全局管理员/应用程序管理员等)分配给服务主体。这个
doc 包含有关可用角色的详细信息,并且
doc 有一个示例脚本,显示如何将这些角色分配给服务主体。 ;
1) Assign an existing role which has the required permissions like Global administrator/Application administrator etc to the service principal using Powershell commands. This doc has details about the roles available and this doc has a sample script which shows how to assign these roles to the service principal.
2)通过链接到服务主体的应用程序对象为服务主体分配权限。您需要从应用程序对象的所需权限中分配和授予权限。你可以参考这个
doc 了解详细步骤。
2) Assign permissions to the service principal through the application object linked to the service principal. You need to assign and grant permissions from the required permissions of the application object. You can refer to this doc for detailed steps.
您需要" Application.ReadWrite.All < /跨度>"转换为"读取和写入所有应用程序的权限"在用户界面中。
You will need "Application.ReadWrite.All" permission which translates to "Read and write all applications" in the UI.
希望这会有所帮助。
Hope this helps.
这篇关于Azure AD - 以编程方式创建新的Service Principal的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
