对象 id 为 xxx 的客户端 xxx 无权在范围内执行 Microsoft.Resources/subscriptions/resourcegroups/write' 操作 [英] The client xxx with object id xxx does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/write' over scope
问题描述
我正在尝试使用 Azure 管理 SDK 动态创建资源组这是我的天蓝色配置详细信息
I am trying to create a Resource Group dynamically using Azure Management SDK Here are my azure configuration details
subscription=<private-data>
client=<private-data>
key=<private-data>
tenant=<private-data>
managementURI=https://management.core.windows.net/
baseURL=https://management.azure.com/
authURL=https://login.windows.net/
graphURL=https://graph.windows.net/
这里是创建资源的代码
// Credentials
AzureCredentials credentials = new AzureCredentialsFactory()
.FromFile("azureauth.properties");
string resourceName = GetRandomString();
// Create Azure Instance
var azure = Azure
.Configure()
.Authenticate(credentials)
.WithDefaultSubscription();
// Create a Resource Group
azure.ResourceGroups
.Define(resourceName)
.WithRegion(Region.USWest)
.Create();
我得到的错误是:
具有对象 ID 的客户端ae8bc2ea-9680-4f66-934c-ad40b82c30ac"'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' 没有授权执行动作'Microsoft.Resources/subscriptions/resourcegroups/write' 超出范围'/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6/resourcegroups/5oxjhjic'.
The client 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' with object id 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6/resourcegroups/5oxjhjic'.
我已按照 https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
以及我正在尝试使用我的 全局管理员 帐户
推荐答案
显然,您不能尝试使用全局管理员.您需要前往您的订阅并授予 objectid 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' 贡献者权限(简单的方法)或创建满足您需求的自定义角色(或图预定义角色).
you cant be trying with global administrator, obviously. you need to go to you subscription and grant objectid 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' contributor permissions (easy way) or create a custom role (or figure predefined role) that meets your needs.
您可以使用门户或 azure powershell:
you can use portal to do that or azure powershell:
New-AzRoleAssignment -ObjectId 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' -Scope '/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6' -RoleDefinitionName contributor
等效的 Azure CLI 命令是:
the equivalent Azure CLI command is:
az role assignment create --assignee-object-id ae8bc2ea-9680-4f66-934c-ad40b82c30ac --scope subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6 --role contributor
这篇关于对象 id 为 xxx 的客户端 xxx 无权在范围内执行 Microsoft.Resources/subscriptions/resourcegroups/write' 操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!