我有以下情况。
- 拥有我工作场所的帐户和 Visual Studio Professional 订阅。
- 我无法在我的组织租户中创建服务主体。这是被禁止的,我不会被授予这样做的特权。
- 我自己创建了一个新租户,说“myowntenant”。创建了一个新应用程序,因此,我得到了一个名为“example-app”的服务主体
- 然后,我转到 Visual Studio 订阅并授予服务主体(示例应用程序)贡献者对订阅的访问权限。
当我尝试使用“example-app”的 VS 订阅 ID、我自己的租户 ID、客户端 ID 和机密来使用我的 terraform 环境时,我收到未经授权的错误,说明访问令牌来自错误的颁发者。
看起来我对 Azure 订阅、租户和服务主体的理解不正确。有人可以告诉我为什么即使服务主体在订阅中具有贡献者访问权限,这也不起作用?
地形代码:
## <https://www.terraform.io/docs/providers/azurerm/index.html>
provider "azurerm" {
version = "=2.5.0"
features {}
}
## <https://www.terraform.io/docs/providers/azurerm/r/resource_group.html>
resource "azurerm_resource_group" "rg" {
name = "TerraformTesting"
location = "eastus"
}
## <https://www.terraform.io/docs/providers/azurerm/r/availability_set.html>
resource "azurerm_availability_set" "DemoAset" {
name = "example-aset"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
## <https://www.terraform.io/docs/providers/azurerm/r/virtual_network.html>
resource "azurerm_virtual_network" "vnet" {
name = "vNet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
## <https://www.terraform.io/docs/providers/azurerm/r/subnet.html>
resource "azurerm_subnet" "subnet" {
name = "internal"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefix = "10.0.2.0/24"
}
## <https://www.terraform.io/docs/providers/azurerm/r/network_interface.html>
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
}
}
## <https://www.terraform.io/docs/providers/azurerm/r/windows_virtual_machine.html>
resource "azurerm_windows_virtual_machine" "example" {
name = "example-machine"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
size = "Standard_F2"
admin_username = "adminuser"
admin_password = "P@$$w0rd1234!"
availability_set_id = azurerm_availability_set.DemoAset.id
network_interface_ids = [
azurerm_network_interface.example.id,
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
}