具有对象ID的客户端无权在范围内执行操作"Microsoft.Web/serverfarms/read" [英] The client with object id does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope

问题描述

我正在使用Azure应用服务api来查看服务器详细信息(例如工作进程和区域等)以进行管理.从 AuthenticationContext.AcquireTokenAsync 方法生成令牌后，我正在请求以下URL以获取服务器详细信息 https://management.azure.com/subscriptions/<sub ID>/resourceGroups/<资源组名称>/providers/Microsoft.Web/serverfarms/?api-version = 2018-02-01

I am using Azure app service api to view server details like worker process and region etc. for management purpose. After generating token from AuthenticationContext.AcquireTokenAsync method, I am requesting following URL for server details https://management.azure.com/subscriptions/<sub ID>/resourceGroups/<resource group name>/providers/Microsoft.Web/serverfarms/?api-version=2018-02-01

在响应中，我收到 AuthorizationFailed 错误代码，并在下面给出了详细信息:

In the response I am getting AuthorizationFailed error code with the detail given bellow:

客户端无权在范围'/subscriptions/xxxxxxxx-xxxxxxx-xxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverfarms/xxxx'或范围内执行操作'Microsoft.Web/serverfarms/read'是无效的.如果最近授予访问权限，请刷新您的凭据.

The client does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '/subscriptions/xxxxxxxx-xxxxxxx-xxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverfarms/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

但是当我尝试使用 https进行相同的验证时://docs.microsoft.com/zh-cn/rest/api/appservice/appserviceenvironments/get 门户，我可以在其中尝试API进行测试，该请求返回了预期的结果.

But when I try the same verification using https://docs.microsoft.com/en-us/rest/api/appservice/appserviceenvironments/get portal where I can try the APIs for testing, the request is returning expected results.

那么，还有其他方法可以进行身份​​验证吗?还是我必须定义一些权限才能实现此功能?

So, is there any other way to authenticate or should I have to define some permissions to achieve the functionality?

推荐答案

您使用的服务主体在该租户中没有权限.

The service principal you are using doesn't have rights within that tenant.

租户具有订阅，服务主体属于租户.Azure资源管理器还公开了给定主体的基于角色的授权，这将为其授予对Azure资源的权限.看来服务主体无权读取该订阅.

Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.

转到门户网站并找到您的 subscription ，单击访问控制(IAM)，然后单击带有的添加角色分配用来获取令牌的对应服务主体.

Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.

获得成功的权限后，请刷新并重试.

After you have given successful permission, refresh and try again.

这篇关于具有对象ID的客户端无权在范围内执行操作"Microsoft.Web/serverfarms/read"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！