我正在尝试使用 azure sdk 创建服务主体。但是,我收到一个错误
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
我究竟做错了什么?我正在执行以下操作:
创建具有所有者角色的服务主体
az ad sp create-for-rbac -n "OrbitTest5" --role Owner --sdk-auth通过环境变量将创建的服务主体的凭据传递给凭据提供程序
public class AzureAppEnvCredentialProvider implements AzureCredentialProvider { public static final String ENV_CLIENT_ID = "CLIENT_ID"; public static final String ENV_TENANT_ID = "TENANT_ID"; public static final String ENV_SUBSCRIPTION_ID = "SUBSCRIPTION_ID"; public static final String ENV_CLIENT_SECRET = "CLIENT_SECRET"; private final String subscriptionId; public AzureAppEnvCredentialProvider() { this.subscriptionId = Preconditions.checkNotNull(System.getenv(ENV_SUBSCRIPTION_ID)); } @Override public AzureTokenCredentials getCredentials() { final String clientId = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_ID)); final String tenantId = Preconditions.checkNotNull(System.getenv(ENV_TENANT_ID)); final String clientSecret = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_SECRET)); return new ApplicationTokenCredentials(clientId, tenantId, clientSecret, AzureEnvironment.AZURE); } @Override public String getSubscriptionId() { return this.subscriptionId; } }使用凭证通过 java sdk 创建服务主体
azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials()); final ServicePrincipal servicePrincipal = azureAuthClient.servicePrincipals() .define(clusterId) .withNewApplication("http://easycreate.azure.com/" + clusterId) .definePasswordCredential("sppass") .withPasswordValue("StrongPass!12") .attach() .create();然后我得到一个例外。我知道我的凭据有效,因为我能够使用 sdk 创建资源组并从 Azure Web 控制台查看它。
com.microsoft.azure.management.graphrbac.GraphErrorException: 状态码 403,{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"权限不足,无法完成操作。"}}} 在 sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 在 sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 在 sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java :45) 在 java.lang.reflect.Constructor.newInstance(Constructor.java:423) 在 com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122) 在 com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder. java:56) 在 com.microsoft.azure.management.graphrbac。implementation.ApplicationsInner.createDelegate(ApplicationsInner.java:194) 在 com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.access$000(ApplicationsInner.java:45) 在 com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner $2.call(ApplicationsInner.java:181) at com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner.java:177) at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java :69) 在retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120) 在retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102) 在retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe。 java:46) 在retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24) 在rx.Observable。unsafeSubscribe(Observable.java:10327) 在 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 在 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) 在 rx.internal.operators.OnSubscribeLift .call(OnSubscribeLift.java:48) 在 rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) 在 rx.Observable.unsafeSubscribe(Observable.java:10327) 在 rx.internal.operators.OnSubscribeMap.call( OnSubscribeMap.java:48) 在 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) 在 rx.Observable.unsafeSubscribe(Observable.java:10327) 在 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java :48) 在 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 的 rx.Observable.unsafeSubscribe(Observable.java:10327) 的 rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)在 rx.internal.operators。OnSubscribeMap.call(OnSubscribeMap.java:33) 在 rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) 在 rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) 在 rx.Observable.unsafeSubscribe (Observable.java:10327) 在 rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100) 在 rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:230) 在 rx.internal .schedulers.ScheduledAction.run(ScheduledAction.java:55) 在 java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 在 java.util.concurrent.FutureTask.run(FutureTask.java:266) 在java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) 在 java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask。在 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 在 java.lang.Thread 的 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 运行(ScheduledThreadPoolExecutor.java:293) .run(Thread.java:748)
