1

在我从 UI 中删除应用注册/服务主体并使用以下命令创建新的之前,我的发布管道运行良好。

az ad sp create-for-rbac --name <Name of Service Principal> --password <Password>

我在下面的“变量组”中更新了从上面获得的值,该值与发布管道相关联

在此处输入图像描述

但是,当我得到定义如下的 terrafor 计划任务时:

Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" -var "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" -var "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" -var "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)"

我收到以下错误消息:

* provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '***()' was not found in the directory '***'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 7a1e3f3a-5171-4044-b59a-49a78d3df300\r\nCorrelation ID: f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd\r\nTimestamp: 2019-03-12 10:22:16Z","error_codes":[700016],"timestamp":"2019-03-12 10:22:16Z","trace_id":"7a1e3f3a-5171-4044-b59a-49a78d3df300","correlation_id":"f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd","error_uri":"https://login.microsoftonline.com/error?code=700016"}
2019-03-12T10:22:16.4925828Z

就在此任务之前,即使用服务主体执行 az account login 的 cmd 任务。在日志输出中,我可以清楚地看到 az account show 的输出,为什么这个任务不起作用?

CMD任务的输出,

2019-03-12T11:58:05.4615044Z Environment variable -x not defined
2019-03-12T11:58:05.4615608Z ***
2019-03-12T11:58:05.4667686Z ***
2019-03-12T11:58:05.4668423Z ***
2019-03-12T11:58:05.4669112Z ***
2019-03-12T11:58:05.4669557Z "Subscription ID=> ***"
2019-03-12T11:58:48.5462240Z [
2019-03-12T11:58:48.5463710Z   {
2019-03-12T11:58:48.5464432Z     "cloudName": "AzureCloud",
2019-03-12T11:58:48.5464946Z     "id": "***",
2019-03-12T11:58:48.5465917Z     "isDefault": true,
2019-03-12T11:58:48.5469154Z     "name": "Visual Studio Enterprise",
2019-03-12T11:58:48.5469568Z     "state": "Enabled",
2019-03-12T11:58:48.5469843Z     "tenantId": "***",
2019-03-12T11:58:48.5470058Z     "user": {
2019-03-12T11:58:48.5470290Z       "name": "***",
2019-03-12T11:58:48.5470496Z       "type": "servicePrincipal"
2019-03-12T11:58:48.5471388Z     }
2019-03-12T11:58:48.5471648Z   }
2019-03-12T11:58:48.5471999Z ]

它的定义如下:

echo $(TF_VAR_ARM_SUBSCRIPTION_ID)

echo $(TF_VAR_ARM_TENANT_ID)

echo $(TF_VAR_ARM_CLIENT_SECRET)

echo $(TF_VAR_ARM_CLIENT_ID)

echo "Subscription ID=> $(TF_VAR_ARM_SUBSCRIPTION_ID)"

az login --service-principal -u  $(TF_VAR_ARM_CLIENT_ID) -p  $(TF_VAR_ARM_CLIENT_SECRET) --tenant $(TF_VAR_ARM_TENANT_ID)

az account show

在我能够毫无问题地提供资源之前。

4

1 回答 1

2

希望你已经解决了这个问题,但如果其他人有类似的问题,这就是我解决相同错误的方法。如果您使用服务主体进行身份验证,则需要确保 azurerm 提供程序具有所有必要的值(这会在正常的 azure cli 登录时自动发生,因为它会为您设置正确的 env 变量)。最简单的方法是确保您的提供程序设置如下(并通过 --var 或 --var-file 为每个变量提供适当的值。 

provider "azurerm" {
  version         = "=1.24.0"
  tenant_id       = "${var.tenant}"
  subscription_id = "${var.subscription}"
  client_id       = "${var.client_id}"
  client_secret   = "${var.client_secret}"
}
于 2019-04-11T01:36:54.647 回答