创建 Azure 事件网格主题错误 - "does not have authorization to perform action"
Creating an Azure Event Grid Topic Error - "does not have authorization to perform action"
我正在编写一个 python 脚本,用于创建事件网格主题。
我正在学习一些 Microsoft 教程和 Github 存储库,并编写了一些 python 代码来创建主题。
Github 回购:https://github.com/Azure-Samples/event-grid-python-public-consume-events
Azure 服务主体:https://azure.microsoft.com/documentation/articles/resource-group-create-service-principal-portal
我想出了这个 python 代码:
def CreateOrUpdateTopics(subscriptionId, clientId, clientSecret,tenantId,resourceGroup,location, topics):
credentials = ServicePrincipalCredentials(
client_id=clientId,
secret=clientSecret,
tenant=tenantId
)
print("\nCreate event grid management client")
event_grid_client = EventGridManagementClient(credentials, subscriptionId)
for topic in topics:
print(f'\nCreating EventGrid topic {topic}')
topic_result_poller = event_grid_client.topics.create_or_update(resourceGroup,
topic,
Topic(
location=location,
tags={'createdBy': 'MCCC'}
))
# Blocking call
topic_result = topic_result_poller.result()
## ERROR SHOWS UP HERE
print(topic_result)
当我执行代码时,我收到一条消息
The client 'zzzz' with object id 'zzzz' does not have authorization to
perform action 'Microsoft.EventGrid/topics/write' over scope
'/subscriptions/zzz/resourceGroups/MCCC-RG/providers/Microsoft.EventGrid/topics/Temperature'
or the scope is invalid. If access was recently granted, please
refresh your credentials.
我在 Azure Active Directory 中注册了一个新应用程序:
我还为 SP 的资源组分配了一个角色。
似乎我在我的服务原则上遗漏了一些角色访问权限,尽管我似乎找不到它应该是什么的参考。
你能给我指明正确的方向吗?
查看 EventGrid EventSubscription Contributor 的角色定义,它没有执行 Microsoft.EventGrid/topics/write 操作的权限。只允许执行以下操作:
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
您需要做的是创建一个 Custom Role,其中 Microsoft.EventGrid/topics/write 作为允许的操作之一。
来自同一个 link,这是您可以创建和使用的自定义角色的一种定义:
{
"Name": "Event grid contributor role",
"Id": "4BA6FB33-2955-491B-A74F-53C9126C9514",
"IsCustom": true,
"Description": "Event grid contributor role",
"Actions": [
"Microsoft.EventGrid/*/write",
"Microsoft.EventGrid/*/delete",
"Microsoft.EventGrid/topics/listkeys/action",
"Microsoft.EventGrid/topics/regenerateKey/action",
"Microsoft.EventGrid/eventSubscriptions/getFullUrl/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<Subscription id>"
]
}
对于任何回到这里的人,我建议 leveraging the built-in "EventGrid Contributor" role 而不是创建你自己的,除非有非常具体的原因需要这样做:如果你同时需要 Microsoft.EventGrid/*/write 和 Microsoft.EventGrid/*/delete 那么你可以安全地简单地使用 Microsoft.EventGrid/*.
编辑:
附注以防其他人陷入我所做的同一件事:事实证明,EventGrid 贡献者角色实际上不允许任何数据操作。只有“EventGrid 数据发送者”可以发送,这是一个非常奇怪的差距,因为“EventGrid 贡献者”对所有非数据 EventGrid 操作具有通配符访问权限。
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
TL;DR:如果您有一个既管理主题又发布事件的身份,则该身份将需要为“数据发送者”角色以及“贡献者”角色之一分配角色...或者你为单一作业推出你自己的定制。
我正在编写一个 python 脚本,用于创建事件网格主题。
我正在学习一些 Microsoft 教程和 Github 存储库,并编写了一些 python 代码来创建主题。
Github 回购:https://github.com/Azure-Samples/event-grid-python-public-consume-events
Azure 服务主体:https://azure.microsoft.com/documentation/articles/resource-group-create-service-principal-portal
我想出了这个 python 代码:
def CreateOrUpdateTopics(subscriptionId, clientId, clientSecret,tenantId,resourceGroup,location, topics):
credentials = ServicePrincipalCredentials(
client_id=clientId,
secret=clientSecret,
tenant=tenantId
)
print("\nCreate event grid management client")
event_grid_client = EventGridManagementClient(credentials, subscriptionId)
for topic in topics:
print(f'\nCreating EventGrid topic {topic}')
topic_result_poller = event_grid_client.topics.create_or_update(resourceGroup,
topic,
Topic(
location=location,
tags={'createdBy': 'MCCC'}
))
# Blocking call
topic_result = topic_result_poller.result()
## ERROR SHOWS UP HERE
print(topic_result)
当我执行代码时,我收到一条消息
The client 'zzzz' with object id 'zzzz' does not have authorization to perform action 'Microsoft.EventGrid/topics/write' over scope '/subscriptions/zzz/resourceGroups/MCCC-RG/providers/Microsoft.EventGrid/topics/Temperature' or the scope is invalid. If access was recently granted, please refresh your credentials.
我在 Azure Active Directory 中注册了一个新应用程序:
我还为 SP 的资源组分配了一个角色。
似乎我在我的服务原则上遗漏了一些角色访问权限,尽管我似乎找不到它应该是什么的参考。
你能给我指明正确的方向吗?
查看 EventGrid EventSubscription Contributor 的角色定义,它没有执行 Microsoft.EventGrid/topics/write 操作的权限。只允许执行以下操作:
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
您需要做的是创建一个 Custom Role,其中 Microsoft.EventGrid/topics/write 作为允许的操作之一。
来自同一个 link,这是您可以创建和使用的自定义角色的一种定义:
{
"Name": "Event grid contributor role",
"Id": "4BA6FB33-2955-491B-A74F-53C9126C9514",
"IsCustom": true,
"Description": "Event grid contributor role",
"Actions": [
"Microsoft.EventGrid/*/write",
"Microsoft.EventGrid/*/delete",
"Microsoft.EventGrid/topics/listkeys/action",
"Microsoft.EventGrid/topics/regenerateKey/action",
"Microsoft.EventGrid/eventSubscriptions/getFullUrl/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<Subscription id>"
]
}
对于任何回到这里的人,我建议 leveraging the built-in "EventGrid Contributor" role 而不是创建你自己的,除非有非常具体的原因需要这样做:如果你同时需要 Microsoft.EventGrid/*/write 和 Microsoft.EventGrid/*/delete 那么你可以安全地简单地使用 Microsoft.EventGrid/*.
编辑:
附注以防其他人陷入我所做的同一件事:事实证明,EventGrid 贡献者角色实际上不允许任何数据操作。只有“EventGrid 数据发送者”可以发送,这是一个非常奇怪的差距,因为“EventGrid 贡献者”对所有非数据 EventGrid 操作具有通配符访问权限。
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
TL;DR:如果您有一个既管理主题又发布事件的身份,则该身份将需要为“数据发送者”角色以及“贡献者”角色之一分配角色...或者你为单一作业推出你自己的定制。