在PowerShell中，LinkedAuthorizationFailed是什么意思? [英] What does the LinkedAuthorizationFailed mean in PowerShell?

问题描述

我正在尝试使用PowerShell在cosmos数据库中添加虚拟网络规则. VNETS存在于不同的租户中.我对存储帐户也做了同样的工作，效果很好.我收到以下错误.有人可以给我一些关于我要去哪里的指示吗?可以在cosmos db数据库中做到这一点吗?

I'm trying to add virtual network rules in a cosmos db using PowerShell. The VNETS exist in different tenants. I done the same for Storage accounts and it worked fine. I am getting the following error. Could someone give me some pointers as to where i'm going wrong? is it possible to do this in a cosmos db database?

Set-AzureRmResource:LinkedAuthorizationFailed:客户端有权在范围上执行操作"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" '/Cosmos DB/resourceGroups/nbspreprd3/providers/Microsoft.DocumentDb/databaseAccounts/nbspreprd3-config-document-db的/subscriptions/Subscription ID，但是当前租户''是 无权访问链接的订阅". 在线:8字符:5 + Set-AzureRmResource -ResourceType $ ResourceType -ResourceGroupNam ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~ + CategoryInfo:CloseError :( :) [Set-AzureRmResource]，ErrorResponseMessageException + FullyQualifiedErrorId:LinkedAuthorizationFailed，Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResourceCmdlet

Set-AzureRmResource : LinkedAuthorizationFailed : The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action' on scope '/subscriptions/Subscription ID of Cosmos DB/resourceGroups/nbspreprd3/providers/Microsoft.DocumentDb/databaseAccounts/nbspreprd3-config-document-db', however the current tenant '' is not authorized to access linked subscription ''. At line:8 char:5 + Set-AzureRmResource -ResourceType $ResourceType -ResourceGroupNam ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Set-AzureRmResource], ErrorResponseMessageException + FullyQualifiedErrorId : LinkedAuthorizationFailed,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResourceCmdlet

这是PowerShell脚本

$ResourceGroupName = "*******"
$accountname = "*******" 
$ResourceType = "Microsoft.DocumentDb/databaseAccounts" 
$cosmosAccount = Get-AzureRMResource -ResourceType $ResourceType -ResourceGroupName $resourceGroupName -Name $accountName
$VnrID1 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-2-subnet"
$VnrID2 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-3-subnet"
$VnrID3 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/=build1-subnet"


function setCosmosRule {

    Param($ResourceGroupName, $accountname, $ResourceType, $cosmosAccount, $VnrID1)

    $vnetrules = $cosmosAccount.Properties.virtualNetworkRules
$existsCosmos =($cosmosAccount.Properties.virtualNetworkRules | Where-Object {$_.id -eq $VnrID1} | Measure-Object).Count -ne 0
if(-not($existsCosmos)){

    $ourObject = New-Object -TypeName psobject 
    $ourObject | Add-Member -MemberType NoteProperty -Name id -Value $VnrID1
    $ourObject | Add-Member -MemberType NoteProperty -Name ignoreMissingVNetServiceEndpoint -Value True

    $newVnetRules = $vnetrules, $ourObject
    $cosmosAccount.Properties.virtualNetworkRules = $newVnetRules
    $CosmosDBProperties = $cosmosAccount.Properties
    Set-AzureRmResource -ResourceType $ResourceType -ResourceGroupName $ResourceGroupName -ResourceName $accountname  -Properties $cosmosDBProperties -Force 
}


}

非常感谢任何提示和技巧

Any pointers and tips are much appreciated

谢谢

推荐答案

我们通过在外部订阅上授予部署服务主体Network Contributor来解决了类似的问题.

We solved a similar problem by granting our deployment service principal Network Contributor on the external subscription.

在部署具有Key Vault，Service Bus，Storage Account和Cosmos DB Account的复合ARM模板时，在几乎相同的场景中，我们遇到了相同的错误.前三个成功部署成功，并且防火墙与来自单独订阅的预期VNet/子网建立在一起，并与部署目标订阅VNet对等.外部订阅中带有RBAC的所有内容看起来都不错.深入了解有关服务端点的Microsoft文档，使我了解以下内容:

We encountered the same error in nearly the same scenario when deploying a composite ARM template with a Key Vault, Service Bus, Storage Account, and Cosmos DB Account. The first three deployed successfully and the firewalls were setup with the expected VNet/subnets from a separate subscription, peered to deployment target subscription VNet. Everything with RBAC in the external subscription looked fine. Digging into the Microsoft documentation for service endpoints led me to the following:

将VNet服务终结点添加到Azure Cosmos帐户后，要对帐户设置进行任何更改，您需要访问Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action操作对于在您的Azure Cosmos帐户上配置的所有VNET.需要此权限，因为授权过程会在评估任何属性之前先验证对资源(例如数据库和虚拟网络资源)的访问."

"After you add the VNet service endpoints to an Azure Cosmos account, to make any changes to the account settings, you need access to the Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action action for all the VNETs configured on your Azure Cosmos account. This permission is required because the authorization process validates access to resources (such as database and virtual network resources) before evaluating any properties."

来源: 我们真的没有必要为Cosmos DB帐户添加显式权限，特别是因为其他资源类型都很好.添加其他访问策略后，Cosmos DB帐户便成功部署.

It didn't really make sense that we needed to add the explicit permission for the Cosmos DB account, especially since the other resources types were fine. Once the additional access policy was added, then the Cosmos DB account deployed successfully.

这篇关于在PowerShell中，LinkedAuthorizationFailed是什么意思?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！