添加用于创建资源组的写入权限到Azure Active Directory应用程序 [英] Adding write permission for creating Resource Groups to an Azure Active Directory Application
问题描述
我有一个C#应用程序,它将创建资源组.我正在使用ResourceManagementClient创建资源组(我认为这只是其REST API的包装).我正在使用Azure AD应用程序的客户端ID和客户端密钥进行身份验证.
I have a C# application that will create Resource Groups. I'm using the ResourceManagementClient to create the resource group (which I assume is just a wrapper for their REST API). I'm using an Azure AD application's Client ID and Client Secret to authenticate.
我收到此错误:
{对象ID为'xxxx'的客户端'xxxx'没有授权采取行动范围上的"Microsoft.Resources/subscriptions/resourcegroups/write"'/subscriptions/xxxx/resourcegroups/test-resource-group'.}
{"The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxx/resourcegroups/test-resource-group'."}
有没有办法可以在订阅级别将此权限授予Azure AD应用程序?
Is there a way I can give this permission at the subscription level to an Azure AD application?
推荐答案
配置此步骤的步骤是:
- 在Azure AD中注册应用程序(听起来已经完成了此操作)
- 为您的应用程序创建相应的服务主体(注册时可能会自动完成或可能不会自动完成-这取决于您注册时所使用的方法)
- 将服务主体RBAC分配给订阅.
详细说明了这些步骤这里.
我相信您需要为服务主体分配贡献者"角色,以启用资源组创建.
I believe you'll need to assign your service principal the Contributor role to enable resource group creation.
这篇关于添加用于创建资源组的写入权限到Azure Active Directory应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!