如何从不同的订阅向Azure服务主体分配角色? [英] How to assign role to an Azure service principal from different subscription?
问题描述
问题陈述
目前,我正在借助azure terraform在不同的订阅中创建/修改azure资源.
problem statement
currently, I am in the process to create/modify azure resources in the different subscription with the help of azure terraform.
错误
Principal <appid> does not exist in the directory {destination-tenant-id-for which contribution role required}
请考虑以下情形.
我们想要在一个订阅中创建Azure AKS群集,并且在同一执行中,我们想在另一订阅中更新DNS定义.如果我们在同一个订阅中同时拥有DNS区域和aks群集,则此过程效果很好,但是如果这两个资源位于不同的订阅中,则该过程将无法正常工作.
consider the following scenario.
we want to create Azure AKS cluster in one subscription and in same execution, we want to update DNS define in another subscription. this process works well if we are having both i.e. DNS zone and aks cluster in the same subscription but it will not work if these two resources in the different subscription.
已采取的步骤
无需分配即可创建服务主体
az ad sp create-for-rbac -n sp-terraform-001 --skip-assignment
为当前sp分配当前订阅者的贡献者角色
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<sub-id>
*将贡献者角色分配给当前sp用于其他订阅.它会失败,并带有*
*assign contributor role to current sp for a different subscription. it will fail with *
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<diff-sub-id>/<resource-group>....
请让我知道访问其他订阅中资源的正确步骤
please let me know correct steps to access resources in another subscriptions
推荐答案
您可以将服务主体的权限分配给多个订阅,这不成问题,因为SP位于订阅之外,它位于Azure AD中.
You can assign rights to a service principal to multiple subscriptions, that is not an issue, as the SP sits outside of the subscription, it is in Azure AD.
但是,您不能为服务主体所在的Azure AD租户中的资源分配权限,这听起来像您在尝试这样做.
However, you cannot assign rights to resources in a different Azure AD tenant to the one the service principal sits in, which it sounds like you are trying to do here.
这篇关于如何从不同的订阅向Azure服务主体分配角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
