我已使用服务主体配置 Azure DevOps 以访问一个特定的资源组。我原以为 Azure DevOps 只能部署到该组下的资源,但似乎并非如此。我能够连接来自其他资源组的代理,然后毫无问题地部署到它们。
如果代理可以绕过所有权限,那么在“Azure DevOps”中配置服务主体有什么意义?
Configuration:
Azure Portal
1. Created AD in Azure Portal. Created App under AD with client secret.
2. Granted 'contributor' role to App created in Step-1 with resource group scope.
3. Created two resource groups - RG1 and RG2 with one VM in each.
4. Granted role assignment to App created in step-1 for RG1 only. RG2 has no role assignments.
Azure DevOps
5. Connect Azure DevOps organization with Portal using AD connect.
6. Created service connection by going to Projects-> Service Principal(SP) -> Azure Resource Manager with Service Principal credentials (see step-1 above).
7. Created new pipeline and deployment group. Copied the deployment group agent code and ran it on both VMs in RG1 and RG2.
实际结果:两个虚拟机作为部署组下的目标连接良好。Pipeline 能够成功部署到两个 VM。即使不存在服务连接,管道也能够部署到 VM
预期结果:只有 RG1 下的 VM 应基于 RBAC 连接。管道应该只能部署到 RG1 下的 VM 而不能部署到 RG2。如果未定义服务连接,则管道不应该能够部署。
解决方法:也许安装此扩展程序(https://github.com/maikvandergaag/msft-extensions/wiki/Azure-RBAC)会有所帮助,但如果可能的话,我试图避免它。