我有 terraform 代码,它使用 ARM_...
环境变量向服务主体进行身份验证。
现在我需要使用分配给构建代理虚拟机的托管标识来运行一项配置。
我的 TF 代码是:
provider "azurerm" {
features {}
alias = "ss101"
use_msi = true
client_id = "3...5"
subscription_id = "6...2"
skip_provider_registration = true
}
module "vnet-peering" {
for_each = local.app_vnets
source = "./vnet-peering"
app_vnet = module.vnets[each.value.location].vnets[each.value.key]
providers = {
azurerm.ss101 = azurerm.ss101
}
}
我添加了 client_secret = null
来解决我收到的错误,但未成功:
│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '3...5'.\r\nTrace ID: b55484dd-8dec-4b6f-89e4-6b22e24a2000\r\nCorrelation ID: 67880b22-e6e8-4382-8378-7b9ea8702cdd\r\nTimestamp: 2023-03-17 19:21:20Z","error_codes":[7000215],"timestamp":"2023-03-17 19:21:20Z","trace_id":"b55484dd-8dec-4b6f-89e4-6b22e24a2000","correlation_id":"67880b22-e6e8-4382-8378-7b9ea8702cdd","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
│
│ with module.bootstrap.provider["registry.terraform.io/hashicorp/azurerm"].ss101,
│ on .terraform/modules/bootstrap/main.tf line 185, in provider "azurerm":
│ 185: provider "azurerm" {
我怀疑我通过环境注入(inject)的凭据可能会干扰 MSI 身份验证。我尝试传递client_secret = null
,但没有效果。
如何排除故障?
最佳答案
尝试了如下代码
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
use_msi = true
client_id = "abf1166e-xxx"
//client_secret = "pym8Q~xxx"
client_secret = "null"
tenant_id = "3f5xxxxxx"
subscription_id = "xxxx"
skip_provider_registration = true
}
当我没有提到正确的客户端 secret 值时,我收到了错误。
使用一些随机的 client_secret 值:
Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166xxxx
Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166e-xxxx’
注意:只需使用环境变量并提供提供程序 block 以仅提及版本:
export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=1x5-xxxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_TENANT_ID=72xxf-xxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # only necessary for user assigned identity
...
提供程序 block 仅包含版本:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
配置 Microsoft Azure 提供商
provider "azurerm" {
features {}
}
或者
仅将提供程序 block 与订阅参数一起使用。
从应用程序注册、证书和 secret 中获取的客户端 secret 值(如果需要),否则无需提及 clientid 和 secret ,只需 use_msi=true
当我使用下面的代码时,它对我有用:
provider "azurerm" {
//subscription_id = "b83xxx23f"
//tenant_id = "72fxxx"
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
use_msi = true
client_id = "abfxcd9"xxx
client_secret = "pym8Q~xxxx"
//client_secret = "null"
tenant_id = "xxx"
subscription_id = "xxxx"
skip_provider_registration = true
}
resource "azurerm_user_assigned_identity" "example" {
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
name = "example"
}
resource "azurerm_storage_account" "example" {
name = "exkavyastacc"
resource_group_name = data.azurerm_resource_group.example.name
location = "eastus"
account_tier = "Standard"
account_replication_type = "LRS"
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.example.id
]
}
}
您可以使用 identity 在 Azure VM 上启用托管标识。 阻止。
注意:确保托管身份具有访问资源的角色,例如所有者角色、存储 blob 数据贡献者
关于azure - 尝试使用用户管理身份向 Azure 进行身份验证失败并显示 401,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75771529/