当我尝试创建托管身份和分配角色分配时,我不断收到 AuthorizationFailed 错误。 我已经在门户中完成了此操作,但在 terraform 中进行复制一直很痛苦。
# User Assigned Managed Identity
resource "azurerm_user_assigned_identity" "managed-id" {
resource_group_name = var.resource_group
location = var.location
name = var.name
tags = var.tags
}
resource "azurerm_role_assignment" "rg" {
scope = data.azurerm_resource_group.rg.id
role_definition_name = "Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "vnet" {
scope = data.azurerm_virtual_network.vnet.id
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "dns" {
count = "${var.create_dns_ra ? 1 : 0}"
scope = data.azurerm_subscription.sub.id
role_definition_name = "Private DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
应用 terraform 后,这是 rg 角色分配资源的错误:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219xxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Authorization/roleAssignments/086bxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
vnet 角色分配资源出现类似错误:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Network/virtualNetworks/test-RG-vnet/providers/Microsoft.Authorization/roleAssignments/55adxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
我不知道需要什么来实现这一点,但我很感激任何建议或解决方案。谢谢
最佳答案
To create role assignments, you need to assign either User Access Administrator or Owner role to your service principal that includes this permission: "Microsoft.Authorization/roleAssignments/write"
我尝试通过 Postman 在我的环境中重现相同的结果,并得到以下结果:
我使用下面的查询为资源组创建角色分配,并得到相同的错误,正如您所喜欢的:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
回应:
当我尝试为 VNet 创建角色分配时,也遇到了类似错误,如下所示:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
回应:
为了解决该错误,我将Owner角色分配给订阅下的服务主体,如下所示:
分配该角色后,当我再次运行以下查询时,在资源组上成功创建角色分配:
对于您的情况,请尝试在订阅下分配您的服务主体所有者角色来解决问题。
如果您觉得所有者角色更宽松,最好按照以下链接的建议创建具有“Microsoft.Authorization/roleAssignments/write”权限的自定义 RBAC 角色。
引用: Authorization failed when when writing a roleAssignment - Microsoft Q&A by AmanpreetSingh-MSFT
关于azure - AuthorizationFailed - 在 Azure 中创建角色分配,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75185362/