azure - 尝试使用用户管理身份向 Azure 进行身份验证失败并显示 401

Question

我有 terraform 代码，它使用 ARM_... 环境变量向服务主体进行身份验证。

现在我需要使用分配给构建代理虚拟机的托管标识来运行一项配置。

我的 TF 代码是:

provider "azurerm" {
  features {}
  alias                      = "ss101"
  use_msi                    = true
  client_id                  = "3...5"
  subscription_id            = "6...2"
  skip_provider_registration = true
}

module "vnet-peering" {
  for_each = local.app_vnets
  source   = "./vnet-peering"
  app_vnet = module.vnets[each.value.location].vnets[each.value.key]

  providers = {
    azurerm.ss101 = azurerm.ss101
  }
}

我添加了 client_secret = null 来解决我收到的错误，但未成功:

│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '3...5'.\r\nTrace ID: b55484dd-8dec-4b6f-89e4-6b22e24a2000\r\nCorrelation ID: 67880b22-e6e8-4382-8378-7b9ea8702cdd\r\nTimestamp: 2023-03-17 19:21:20Z","error_codes":[7000215],"timestamp":"2023-03-17 19:21:20Z","trace_id":"b55484dd-8dec-4b6f-89e4-6b22e24a2000","correlation_id":"67880b22-e6e8-4382-8378-7b9ea8702cdd","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
│ 
│   with module.bootstrap.provider["registry.terraform.io/hashicorp/azurerm"].ss101,
│   on .terraform/modules/bootstrap/main.tf line 185, in provider "azurerm":
│  185: provider "azurerm" {

我怀疑我通过环境注入(inject)的凭据可能会干扰 MSI 身份验证。我尝试传递client_secret = null，但没有效果。

如何排除故障？

Answer 1

尝试了如下代码

provider "azurerm" {

  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }

  }
   use_msi = true
   client_id                  = "abf1166e-xxx"
  //client_secret              = "pym8Q~xxx"
  client_secret              = "null"
   tenant_id = "3f5xxxxxx"
  subscription_id            = "xxxx"
  skip_provider_registration = true
}

当我没有提到正确的客户端 secret 值时，我收到了错误。

使用一些随机的 client_secret 值:

Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166xxxx

使用 client_secret= null:

Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166e-xxxx’

注意:只需使用环境变量并提供提供程序 block 以仅提及版本:

export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=1x5-xxxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_TENANT_ID=72xxf-xxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # only necessary for user assigned identity

...

提供程序 block 仅包含版本:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

配置 Microsoft Azure 提供商

provider "azurerm" {
  features {}
}

或者

仅将提供程序 block 与订阅参数一起使用。

从应用程序注册、证书和 secret 中获取的客户端 secret 值(如果需要)，否则无需提及 clientid 和 secret ，只需 use_msi=true

当我使用下面的代码时，它对我有用:

provider "azurerm" {
  //subscription_id = "b83xxx23f"
  //tenant_id              = "72fxxx"
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }

  }
   use_msi = true
   client_id                  = "abfxcd9"xxx
  client_secret              = "pym8Q~xxxx"
  //client_secret              = "null"
   tenant_id = "xxx"
  subscription_id            = "xxxx"
  skip_provider_registration = true
}


resource "azurerm_user_assigned_identity" "example" {
 resource_group_name = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  name                = "example"
  
}

resource "azurerm_storage_account" "example" {
  name                     = "exkavyastacc"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.example.id
    ]
  }
}

您可以使用 identity 在 Azure VM 上启用托管标识。 阻止。

注意:确保托管身份具有访问资源的角色，例如所有者角色、存储 blob 数据贡献者

引用: Azure Provider: Authenticating via Managed Identity | Guides | hashicorp/azurerm | Terraform Registry