azure - 无法创建 Azure AKS 群集 : CreateRoleAssignmentError

Question

我尝试在全新订阅中创建 AKS 群集。通过 Web 界面创建集群时，最终会生成 CreateRoleAssignmentError 错误，并显示以下消息:

RoleAssignmentReconciler retry timed out: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'foo' with object id 'foo' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az

请注意，集群是使用手动创建的服务主体创建的，根据 documentation 。此服务主体对订阅内的所有资源组都具有“所有者”角色。

另请注意，我必须手动创建服务主体的原因是首先无法以其他方式创建集群。当尝试在未显式指定服务主体(即请求自动创建新服务主体)的情况下创建集群时，会产生另一个错误:

The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'foo' was not found in the directory 'bar'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID: bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13 15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13 15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})

我正在一个新帐户和使用“初始”管理员用户的订阅上执行这些操作，所以我认为所有权限都应该到位。什么可以解释上述错误？

Answer 1

正如OP所问，这就是答案。为了在 Azure 中创建资源(无论是哪些资源)，您需要以下类型的权限:provider/resource/write。编辑也是如此。这一基本原则适用于所有资源。现在让我们比较所有者和贡献者:

我有一个 AKS 模板，需要贡献者角色 + 此自定义角色才能工作:

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")

使用此角色 + 贡献者的代码创建的 AKS 集群功能齐全。

用户访问管理员 是一个内置角色，当您成为租户并授予自己访问租户下所有内容的权限时，您将被授予该角色:https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin 。因此，如果您授予自己此角色，显然会起作用，但您可以获得更少的权限。