使用Cloudshell和Devops Pipline的Azure Powershell角色辅助 [英] Azure powershell role assisgment using cloudshell and devops pipline

问题描述

我正在尝试删除特定对象ID的关联.以下是我遇到的错误. 我在AD中附加了我的服务主体访问级别.

I am trying to remove the assigement for a particular object id.Below is the error I am getting. I am attaching my service principal access level in AD.

当我尝试使用devops pipline执行同一命令时，我得到了不同的错误.

When I am trying to exectute the same command using devops pipline I am getting different errror.

要删除访问权限，我的服务主体需要API权限中的什么权限 本节只看懂能行吗?以及为什么我会选择clould.execption错误.任何建议.

To remove the access what is the permission is required to my service prinicpal in API permission section only read can work ? and why I am geeting the clould.execption errror. Any advice.

推荐答案

我可以重现您的问题，命令Remove-AzRoleAssignment将调用

I can reproduce your issue, the command Remove-AzRoleAssignment will call the Azure AD Graph to validate the $objectid you passed, so you need give the Application permission Directory.Read.All of Azure AD Graph(not Microsoft Graph,not Delegated permission).

添加许可后，会有一些延迟(30m-1h)，然后测试该命令，它可以工作. (我在本地测试，在云外壳中也一样)

After adding the permission, there is some delay(30m - 1h), then test the command, it works. (I test in local, the same in cloud shell)

注意:除了Azure AD中的权限外，您的服务主体还需要在订阅/特定资源范围内具有权限，例如服务主体是预订/特定资源范围(在您的情况下，是存储帐户)的Access control (IAM)中的Owner/User Access Admin角色.如果服务主体没有角色，请按如下所示添加它.

Note: Except the permission in Azure AD, your service principal also need to have the permission in the subscription/specific resource scope, e.g. the servcie principal is the Owner/User Access Admin role in the Access control (IAM) of the subscription/specific resource scope(in your case, the storage account). If the service principal does not have the role, please add it as below.

在Azure Devops中，您不需要使用Connect-AzAccount登录(实际上，在云shell中，您也不需要登录，但是如果您愿意，也可以登录)，它将自动登录与服务连接相关的服务主体(Task version >= 4.*).

In Azure Devops, you don't need to login with Connect-AzAccount(Actually in cloud shell, you also don’t need to login, but if you want to do so, it's also ok), it will login automatically with the service principal related to the service connection(Task version >= 4.*).

因此，请确保您的服务主体的机密是正确的，并且连接已通过验证.要运行Remove-AzRoleAssignment，还要在上面添加与服务连接相关的应用程序注册"权限.

So please make sure the secret of your service principal is correct and the connection was verified. To run Remove-AzRoleAssignment, also add the permission above for the App Registration related to the service connection.

然后对其进行测试，就可以了.

Then test it, it works.

这篇关于使用Cloudshell和Devops Pipline的Azure Powershell角色辅助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！