在我从 UI 中删除应用注册/服务主体并使用以下命令创建新的之前,我的发布管道运行良好。
az ad sp create-for-rbac --name <Name of Service Principal> --password <Password>
我在下面的“变量组”中更新了从上面获得的值,该值与发布管道相关联
但是,当我得到定义如下的 terrafor 计划任务时:
Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" -var "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" -var "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" -var "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)"
我收到以下错误消息:
* provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '***()' was not found in the directory '***'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 7a1e3f3a-5171-4044-b59a-49a78d3df300\r\nCorrelation ID: f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd\r\nTimestamp: 2019-03-12 10:22:16Z","error_codes":[700016],"timestamp":"2019-03-12 10:22:16Z","trace_id":"7a1e3f3a-5171-4044-b59a-49a78d3df300","correlation_id":"f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd","error_uri":"https://login.microsoftonline.com/error?code=700016"}
2019-03-12T10:22:16.4925828Z
就在此任务之前,即使用服务主体执行 az account login 的 cmd 任务。在日志输出中,我可以清楚地看到 az account show 的输出,为什么这个任务不起作用?
CMD任务的输出,
2019-03-12T11:58:05.4615044Z Environment variable -x not defined
2019-03-12T11:58:05.4615608Z ***
2019-03-12T11:58:05.4667686Z ***
2019-03-12T11:58:05.4668423Z ***
2019-03-12T11:58:05.4669112Z ***
2019-03-12T11:58:05.4669557Z "Subscription ID=> ***"
2019-03-12T11:58:48.5462240Z [
2019-03-12T11:58:48.5463710Z {
2019-03-12T11:58:48.5464432Z "cloudName": "AzureCloud",
2019-03-12T11:58:48.5464946Z "id": "***",
2019-03-12T11:58:48.5465917Z "isDefault": true,
2019-03-12T11:58:48.5469154Z "name": "Visual Studio Enterprise",
2019-03-12T11:58:48.5469568Z "state": "Enabled",
2019-03-12T11:58:48.5469843Z "tenantId": "***",
2019-03-12T11:58:48.5470058Z "user": {
2019-03-12T11:58:48.5470290Z "name": "***",
2019-03-12T11:58:48.5470496Z "type": "servicePrincipal"
2019-03-12T11:58:48.5471388Z }
2019-03-12T11:58:48.5471648Z }
2019-03-12T11:58:48.5471999Z ]
它的定义如下:
echo $(TF_VAR_ARM_SUBSCRIPTION_ID)
echo $(TF_VAR_ARM_TENANT_ID)
echo $(TF_VAR_ARM_CLIENT_SECRET)
echo $(TF_VAR_ARM_CLIENT_ID)
echo "Subscription ID=> $(TF_VAR_ARM_SUBSCRIPTION_ID)"
az login --service-principal -u $(TF_VAR_ARM_CLIENT_ID) -p $(TF_VAR_ARM_CLIENT_SECRET) --tenant $(TF_VAR_ARM_TENANT_ID)
az account show
在我能够毫无问题地提供资源之前。