授权失败添加网络规则 [英] AuthorizationFailed adding network rule
问题描述
我正在尝试在Azure Gov环境中使用AzureRM Powershell添加网络规则.我不断收到无法验证虚拟网络"的信息.代码:AuthorizationFailed.具有对象ID"****"的客户端"****"没有授权
在范围'
上执行操作'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
/subscriptions/****/resourcegroups/****/providers/microsoft.network/virtualnetwork
s/*****/taggedTrafficConsumers/Microsoft.KeyVault.*****'
I am trying to add a network rule using AzureRM powershell in the Azure Gov environment. I keep getting "Virtual Network could not be validated. Code: AuthorizationFailed. The client '****' with object id '****' does not have authorization
to perform action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action' over scope '
/subscriptions/****/resourcegroups/****/providers/microsoft.network/virtualnetwork
s/*****/taggedTrafficConsumers/Microsoft.KeyVault.*****'
我正在运行的命令:
$ subnet = Get-AzureRmVirtualNetwork -ResourceGroupName"G1"; -名称"V1" | Get-AzureRmVirtualNetworkSubnetConfig-名称"S1"
$subnet = Get-AzureRmVirtualNetwork -ResourceGroupName "G1" -Name "V1" | Get-AzureRmVirtualNetworkSubnetConfig -Name "S1"
Add-AzureRmKeyVaultNetworkRule -VaultName"KV1" -ResourceGroupName"G2"; -VirtualNetworkResourceId $ subnet.Id -PassThru
Add-AzureRmKeyVaultNetworkRule -VaultName "KV1" -ResourceGroupName "G2" -VirtualNetworkResourceId $subnet.Id -PassThru
我是所有资源组的所有者.我可以更新除VirutalNetworkResourceId之外的所有现有KeyVaultNetworkRuleSet值.
I am an owner on all resources groups. I can update all the existing KeyVaultNetworkRuleSet values except for the VirutalNetworkResourceId.
有人在从哪里开始解决问题方面有任何指示吗? Azure Gov甚至支持此功能吗?我知道在门户网站上它不会列出防火墙和虚拟网络".在KeyVault菜单中.
Does anyone have any pointers on where to start to resolve the issue? Is this even supported in Azure Gov? I know on the portal it does not list "firewall and virtual networks" in the menu for KeyVault.
引用:https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security
referenced: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security
推荐答案
服务主体您正在使用的租户中没有权限.
The service principal you are using doesn't have rights within that tenant.
租户具有订阅,服务主体属于租户. Azure资源管理器还公开了给定主体的基于角色的授权,这将为其授予对Azure资源的权限. 看来服务主体无权读取该订阅.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
这是确实的常见问题.我们已经在Azure CLI中添加了特定的命令( https://github .com/Azure/azure-cli ) 设置具有自动化的基于角色的授权的自动化服务主体.
This is a really common issue. We've added a specific command in Azure CLI (https://github.com/Azure/azure-cli) to setup a service principal for automation with role based authorization already baked in.
您要使用
You want to use the az ad sp create-for-rbac command.
az ad sp -h 团体 az ad sp:管理AAD服务主体以进行自动化身份验证. 命令: 创造 create-for-rbac:创建服务主体并配置其对Azure资源的访问. 删除 列表 reset-credentials:到期后重置凭据,或者您忘记了它. 展示
az ad sp -h Group az ad sp: Manages AAD service principals for automation authentication. Commands: create create-for-rbac : Create a service principal and configure its access to Azure resources. delete list reset-credentials: Reset credential, on expiration or you forget it. show
az ad sp create-for-rbac -h 命令 az ad sp create-for-rbac:创建服务主体并配置其对Azure的访问权限 资源. 争论 --expanded-view:创建后,显示更多信息,例如订阅和云 环境. --name -n:显示名称或应用程序ID uri.如果丢失,命令将生成一个. --password:用于登录的密码.如果丢失,命令将生成一个. --role:服务主体在资源上的角色.默认值:贡献者. --scopes:服务主体的角色分配适用于以空格分隔的范围. 默认为当前订阅的根目录. --years:密码有效的年份.默认值:1. 全局参数 --debug:增加日志记录的详细程度以显示所有调试日志. --help -h:显示此帮助消息并退出. --output -o:输出格式.允许的值:json,jsonc,表格,tsv.默认值:json --query:JMESPath查询字符串.有关更多信息,请参见http://jmespath.org/. 例子. --verbose:增加日志记录的详细程度.使用--debug可获得完整的调试日志. 例子 使用默认创建 az ad sp-rbac 使用自定义名称创建 az ad sp-r-rbac -n"http://my-app" 同时创建角色分配 az ad sp-r-rbac -n"http://my-app" -角色贡献者-作用域 /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/mygroup /subscriptions/11111111-2222-3333-4444-666666666666/resourceGroups/my-another-group 使用此服务主体登录 az login --service-principal -u< name> -p< password> --tenant< tenant> 重设到期凭证 az ad sp reset-credentials --name< name> 创建角色分配 az角色分配创建--assignee< name> -角色贡献者 完成后撤消服务主体 az广告应用删除--id< name>
az ad sp create-for-rbac -h Command az ad sp create-for-rbac: Create a service principal and configure its access to Azure resources. Arguments --expanded-view: Once created, display more information like subscription and cloud environments. --name -n : A display name or an app id uri. Command will generate one if missing. --password : The password used to login. If missing, command will generate one. --role : Role the service principal has on the resources. Default: Contributor. --scopes : Space separated scopes the service principal's role assignment applies to. Defaults to the root of the current subscription. --years : Years the password will be valid. Default: 1. Global Arguments --debug : Increase logging verbosity to show all debug logs. --help -h : Show this help message and exit. --output -o : Output format. Allowed values: json, jsonc, table, tsv. Default: json. --query : JMESPath query string. See http://jmespath.org/ for more information and examples. --verbose : Increase logging verbosity. Use --debug for full debug logs. Examples Create with defaults az ad sp create-for-rbac Create with a custom name az ad sp create-for-rbac -n "http://my-app" Create role assignments at the same time az ad sp create-for-rbac -n "http://my-app" --role contributor --scopes /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/mygroup /subscriptions/11111111-2222-3333-4444-666666666666/resourceGroups/my-another-group Login with this service principal az login --service-principal -u <name> -p <password> --tenant <tenant> Reset credentials on expiration az ad sp reset-credentials --name <name> Create role assignments az role assignment create --assignee <name> --role Contributor Revoke the service principal when done with it az ad app delete --id <name>
请告诉我这是否为您解决了此问题.
Please let me know if this solved this issue for you.
这篇关于授权失败添加网络规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
