Azure 预配 - 无需手动登录 [英] Azure Provisioning - Without manual login
问题描述
我有一个用于设置 Azure Web 应用程序、数据库等的 Powershell 脚本,但在运行该脚本之前,我必须执行以下操作:
PS C:/>登录-AzureRmAccount这会弹出一个 GUI,我必须在其中手动添加我的用户、密码和我的 2 因素身份验证代码.我最终想将该脚本用作构建/部署自动化脚本的一部分.
我从几篇关于使用服务主体"的文章中收集到以下内容.
首先我会这样做:
PS C:>添加-AzureRmAccount在此调用中,我必须输入我的用户、密码和验证码
之后我必须执行以下操作(即使我不完全理解).
$app = New-AzureRmADApplication -DisplayName "GGReal" -HomePage "https://www.example.org/ggreal" -IdentifierUris "https://www.example.org/ggreal" -Password "我的秘密通行证"新 AzureRmADServicePrincipal -ApplicationId $app.ApplicationId这似乎有效:
然后我尝试这个,它失败了.
New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $app.ApplicationId我收到以下错误:
New-AzureRmRoleAssignment : AuthorizationFailed: 对象 id 为 '8ee9a6ec-yyyy-xxxx-xxxx-4ac0883f2a12' 的客户端 jay@myemail.com' 无权执行操作 'Microsoft.Authorization/roleAssignments/write'超出范围'/subscriptions/5ba06de5-xxxx-zzzz-yyyy-27f7d2c8bba6'.在行:1 字符:1+ 新 AzureRmRoleAssignment -RoleDefinitionName 读取器 -ServicePrincpa ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException+ FullyQualifiedErrorId:Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand我需要做什么才能在没有人工干预的情况下启用脚本授权?
根据异常表示你没有足够的权限.我们可以按照
我还找到了一些有关创建身份验证和内置角色的相关文档:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azurel
I have a Powershell script which runs to set up Azure web apps, databases, etc. but before running the script, I have to do the following:
PS C:/> Login-AzureRmAccount
This pops up a GUI in which I have to manually add in my user, password, and my 2-factor authentication code. I eventually want to use that script as a part of a part of a build/deployment automation script.
I gleaned the following from a few articles about using a "service principal".
First I do:
PS C:> Add-AzureRmAccount
In this call I have to put in my user, password, and authentication code
After that I have to do the following (even though I don't fully understand).
$app = New-AzureRmADApplication -DisplayName "GGReal" -HomePage "https://www.example.org/ggreal" -IdentifierUris "https://www.example.org/ggreal" -Password "mysecretpass"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
This seems to work:
Then I try this, and it fails.
New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $app.ApplicationId
I got the following error:
New-AzureRmRoleAssignment : AuthorizationFailed: The client jay@myemail.com' with object id '8ee9a6ec-yyyy-xxxx-xxxx-4ac0883f2a12' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/5ba06de5-xxxx-zzzz-yyyy-27f7d2c8bba6'.
At line:1 char:1
+ New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
What do I have to do to enable a scripted authorization without manual intervention?
According to the exception that it indicates that you don't has adequate permission to that. We can check active directory permissions following the document. Our account needs to have Microsoft.Authorization/*/Write access to assign an AD app to a role. That means our account should be assigned to the
Owner role or User Access Administrator role. If not, please ask your subscription administrator to add you to User Access Administrator role. How to add or change Azure administrator roles please refer to the document.
After that please have a try to Automate login for Azure Powershell scripts with the following code.
$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
I also find some related documents about creating authentication and Built-in roles:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azurel
这篇关于Azure 预配 - 无需手动登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
