使用 Azure 向存储帐户授予对用户分配标识的读取访问权限
Grant read access to a user assigned identity to a storage account with Azure
我想使用 Terraform 创建一个用户分配的标识,它对现有的 Azure 存储帐户具有读取权限。我如何使用 Terraform 授予它?我正在使用我现在使用的服务主体创建整个基础架构。所以,不太可能是权限问题。
# My user assigned identity:
resource "azurerm_user_assigned_identity" "user_assigned_identity" {
name = "${var.resource_prefix}useridentity"
location = var.location
resource_group_name = var.resource_group_name
}
# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name"
role_definition_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
principal_id = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}
但是我遇到了这个错误:
Error: authorization.RoleAssignmentsClient#Create: Failure responding
to request: StatusCode=403 -- Original Error: autorest/azure: Service
returned an error. Status=403 Code="AuthorizationFailed" Message="The
client 'xxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxxxx' does
not have authorization to perform action
'Microsoft.Authorization/roleAssignments/write' over scope
'/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name/providers/Microsoft.Authorization/roleAssignments/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"'
or the scope is invalid. If access was recently granted, please
refresh your credentials."
知道我做错了什么吗?
要使用来自 terraform 的服务主体将角色分配给某些用户分配的身份,您需要授予服务主体“所有者”订阅权限。不可能从“贡献者”许可中进行。使用贡献者访问权限,您可以创建或管理订阅资源,但不能分配角色。
测试中:
我将用于从 terraform 进行身份验证的服务主体。
为所有者提供对订阅中上述服务主体的访问权限。
我的 Terraform 脚本:
provider "azurerm"{
client_id = "f6a2f33d-xxxx-xxxxx-xxxxx-xxxx"
subscription_id = "948d4068--xxxx-xxxx-xxxxx-xxxx"
client_secret = "KEa7Q~2673QY.uN.xxxxxxxxxxxx"
tenant_id = "72f988bf-xxxxx-xxxxx-xxxxx-xxxxx"
features{}
}
resource "azurerm_user_assigned_identity" "user_assigned_identity" {
name = "myuseridentity"
location = "East US"
resource_group_name = "ansumantest"
}
# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/948d4068--xxxx-xxxx-xxxxx-xxxxx/resourceGroups/ansumantest"
role_definition_name = "Storage Blob Data Reader"
principal_id = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}
输出:
从 Azure 门户验证:
注:
您的服务主体必须具有贡献者访问权限,为其授予所有者访问权限应该可以解决问题。
要分配角色,您需要 Microsoft.Authorization/roleAssignments/write 权限,该权限包含在 Owner 或 User Administrator 角色
中
给你的服务主体Owner违反了最小权限原则,如果不需要其他权限,我建议使用User Administrator。
我想使用 Terraform 创建一个用户分配的标识,它对现有的 Azure 存储帐户具有读取权限。我如何使用 Terraform 授予它?我正在使用我现在使用的服务主体创建整个基础架构。所以,不太可能是权限问题。
# My user assigned identity:
resource "azurerm_user_assigned_identity" "user_assigned_identity" {
name = "${var.resource_prefix}useridentity"
location = var.location
resource_group_name = var.resource_group_name
}
# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name"
role_definition_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
principal_id = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}
但是我遇到了这个错误:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resource-group-name/providers/Microsoft.Authorization/roleAssignments/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"' or the scope is invalid. If access was recently granted, please refresh your credentials."
知道我做错了什么吗?
要使用来自 terraform 的服务主体将角色分配给某些用户分配的身份,您需要授予服务主体“所有者”订阅权限。不可能从“贡献者”许可中进行。使用贡献者访问权限,您可以创建或管理订阅资源,但不能分配角色。
测试中:
我将用于从 terraform 进行身份验证的服务主体。
为所有者提供对订阅中上述服务主体的访问权限。
我的 Terraform 脚本:
provider "azurerm"{
client_id = "f6a2f33d-xxxx-xxxxx-xxxxx-xxxx"
subscription_id = "948d4068--xxxx-xxxx-xxxxx-xxxx"
client_secret = "KEa7Q~2673QY.uN.xxxxxxxxxxxx"
tenant_id = "72f988bf-xxxxx-xxxxx-xxxxx-xxxxx"
features{}
}
resource "azurerm_user_assigned_identity" "user_assigned_identity" {
name = "myuseridentity"
location = "East US"
resource_group_name = "ansumantest"
}
# and the role assignment to this identity
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/948d4068--xxxx-xxxx-xxxxx-xxxxx/resourceGroups/ansumantest"
role_definition_name = "Storage Blob Data Reader"
principal_id = azurerm_user_assigned_identity.user_assigned_identity.principal_id
}
输出:
从 Azure 门户验证:
注: 您的服务主体必须具有贡献者访问权限,为其授予所有者访问权限应该可以解决问题。
要分配角色,您需要 Microsoft.Authorization/roleAssignments/write 权限,该权限包含在 Owner 或 User Administrator 角色
给你的服务主体Owner违反了最小权限原则,如果不需要其他权限,我建议使用User Administrator。