我正在嘗試為通過 terraform 創建的系統分配的托管標識部署 aks 集群和角色分配,但我收到了 403 回應
azurerm_role_assignment.acrpull_role: Creating...
?
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '626eac40-c9dd-44cc-a528-3c3d3e069e85' with object id '626eac40-c9dd-44cc-a528-3c3d3e069e85' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/7b73e02c-dbff-4eb7-9d73-e73a2a17e818/resourceGroups/myaks-rg/providers/Microsoft.ContainerRegistry/registries/aksmattcloudgurutest/providers/Microsoft.Authorization/roleAssignments/c144ad6d-946f-1898-635e-0d0d27ca2f1c' or the scope is invalid. If access was recently granted, please refresh your credentials."
│
│ with azurerm_role_assignment.acrpull_role,
│ on main.tf line 53, in resource "azurerm_role_assignment" "acrpull_role":
│ 53: resource "azurerm_role_assignment" "acrpull_role" {
│
?
這僅發生在 Azure Devops 管道中。我的管道如下所示...
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: TerraformInstaller@0
inputs:
terraformVersion: '1.0.7'
- task: TerraformCLI@0
inputs:
command: 'init'
workingDirectory: '$(System.DefaultWorkingDirectory)/Shared/Pipeline/Cluster'
backendType: 'azurerm'
backendServiceArm: 'Matt Local Service Connection'
ensureBackend: true
backendAzureRmResourceGroupName: 'tfstate'
backendAzureRmResourceGroupLocation: 'UK South'
backendAzureRmStorageAccountName: 'tfstateq7nqv'
backendAzureRmContainerName: 'tfstate'
backendAzureRmKey: 'terraform.tfstate'
allowTelemetryCollection: true
- task: TerraformCLI@0
inputs:
command: 'plan'
workingDirectory: '$(System.DefaultWorkingDirectory)/Shared/Pipeline/Cluster'
environmentServiceName: 'Matt Local Service Connection'
allowTelemetryCollection: true
- task: TerraformCLI@0
inputs:
command: 'validate'
workingDirectory: '$(System.DefaultWorkingDirectory)/Shared/Pipeline/Cluster'
allowTelemetryCollection: true
- task: TerraformCLI@0
inputs:
command: 'apply'
workingDirectory: '$(System.DefaultWorkingDirectory)/Shared/Pipeline/Cluster'
environmentServiceName: 'Matt Local Service Connection'
allowTelemetryCollection: false
我正在使用這里的 terraform 任務 - https://marketplace.visualstudio.com/items?itemName=charleszipp.azure-pipelines-tasks-terraform
這是我的 terraform 檔案
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.46.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "TerraformCluster" {
name = "terraform-cluster"
location = "UK South"
}
resource "azurerm_kubernetes_cluster" "TerraformClusterAKS" {
name = "terraform-cluster-aks1"
location = azurerm_resource_group.TerraformCluster.location
resource_group_name = azurerm_resource_group.TerraformCluster.name
dns_prefix = "terraform-cluster-aks1"
network_profile {
network_plugin = "azure"
}
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
tags = {
Environment = "Production"
}
}
data "azurerm_container_registry" "this" {
depends_on = [
azurerm_kubernetes_cluster.TerraformClusterAKS
]
provider = azurerm
name = "aksmattcloudgurutest"
resource_group_name = "myaks-rg"
}
resource "azurerm_role_assignment" "acrpull_role" {
scope = data.azurerm_container_registry.this.id
role_definition_name = "AcrPull"
principal_id = azurerm_kubernetes_cluster.TerraformClusterAKS.identity[0].principal_id
}
我哪里出錯了?
uj5u.com熱心網友回復:
AAD 中與您的 ADO 服務連接(“Matt 本地服務連接”)相關聯的服務主體需要在資源范圍內或更高范圍內分配所有者角色(取決于您將分配權限的其他位置)。您可以在此處閱讀有關各種角色的詳細資訊,最常用的兩個角色是所有者和貢獻者,主要區別在于所有者允許管理角色分配。
作為這項作業的一部分,您還應該熟悉最小特權原則(如果您還不知道的話)。在這種情況下它將如何適用;如果服務主體只需要資源級別的所有者,那么不要僅僅因為這樣更方便而在資源組或訂閱級別為其分配所有者,您可以稍后隨時更新范圍,但要撤消任何損害要困難得多(假設是惡意的或缺乏經驗的演員)在被利用后過于寬松的角色分配。
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/348975.html