Azure设置-无需手动登录 [英] Azure Provisioning - Without manual login

问题描述

我有一个Powershell脚本，该脚本可以运行以设置Azure Web应用程序，数据库等.但是在运行脚本之前，我必须执行以下操作:

I have a Powershell script which runs to set up Azure web apps, databases, etc. but before running the script, I have to do the following:

PS C:/> Login-AzureRmAccount

这会弹出一个GUI，我必须在其中手动添加用户，密码和2因子身份验证代码.我最终希望将该脚本用作构建/部署自动化脚本的一部分.

This pops up a GUI in which I have to manually add in my user, password, and my 2-factor authentication code. I eventually want to use that script as a part of a part of a build/deployment automation script.

我从几篇有关使用服务主体"的文章中总结了以下内容.

I gleaned the following from a few articles about using a "service principal".

首先，我做

PS C:\> Add-AzureRmAccount

在这次通话中，我必须输入用户名，密码和验证码

In this call I have to put in my user, password, and authentication code

此后，我必须执行以下操作(即使我不太了解).

After that I have to do the following (even though I don't fully understand).

$app = New-AzureRmADApplication -DisplayName "GGReal" -HomePage    "https://www.example.org/ggreal" -IdentifierUris     "https://www.example.org/ggreal" -Password "mysecretpass"

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

这似乎可行:

然后我尝试此操作，但失败了.

Then I try this, and it fails.

New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $app.ApplicationId

我遇到以下错误:

New-AzureRmRoleAssignment : AuthorizationFailed: The client jay@myemail.com' with object id '8ee9a6ec-yyyy-xxxx-xxxx-4ac0883f2a12' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/5ba06de5-xxxx-zzzz-yyyy-27f7d2c8bba6'.
At line:1 char:1
+ New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

要在没有人工干预的情况下启用脚本化授权，我该怎么办?

What do I have to do to enable a scripted authorization without manual intervention?

推荐答案

根据例外情况，即表明您没有足够的权限.我们可以按照所有者角色或

According to the exception that it indicates that you don't has adequate permission to that. We can check active directory permissions following the document. Our account needs to have Microsoft.Authorization/*/Write access to assign an AD app to a role. That means our account should be assigned to the Owner role or User Access Administrator role. If not, please ask your subscription administrator to add you to User Access Administrator role. How to add or change Azure administrator roles please refer to the document.

然后，请尝试使用以下代码自动登录Azure Powershell脚本.

After that please have a try to Automate login for Azure Powershell scripts with the following code.

$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId  -ServicePrincipal 

我还找到了一些有关创建身份验证和内置角色的相关文档:
https://docs. microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
https://docs.microsoft.com/zh-CN/azure/active-directory/role-based-access-built-in-roles#roles-in-azurel

I also find some related documents about creating authentication and Built-in roles:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azurel

这篇关于Azure设置-无需手动登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！