使用Azure java sdk创建服务主体失败
我正在尝试使用azure sdk创建服务主体。但是,我收到一个错误使用Azure java sdk创建服务主体失败,azure,azure-sdk,Azure,Azure Sdk,我正在尝试使用azure sdk创建服务主体。但是,我收到一个错误 {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}} 我做错了什么?我正在做以下工作: 创建具有所有者角色的服务主体 az ad sp create-for-rbac -n "OrbitTest5" --
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
我做错了什么?我正在做以下工作:
az ad sp create-for-rbac -n "OrbitTest5" --role Owner --sdk-auth
public class AzureAppEnvCredentialProvider implements AzureCredentialProvider {
public static final String ENV_CLIENT_ID = "CLIENT_ID";
public static final String ENV_TENANT_ID = "TENANT_ID";
public static final String ENV_SUBSCRIPTION_ID = "SUBSCRIPTION_ID";
public static final String ENV_CLIENT_SECRET = "CLIENT_SECRET";
private final String subscriptionId;
public AzureAppEnvCredentialProvider() {
this.subscriptionId = Preconditions.checkNotNull(System.getenv(ENV_SUBSCRIPTION_ID));
}
@Override
public AzureTokenCredentials getCredentials() {
final String clientId = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_ID));
final String tenantId = Preconditions.checkNotNull(System.getenv(ENV_TENANT_ID));
final String clientSecret = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_SECRET));
return new ApplicationTokenCredentials(clientId, tenantId, clientSecret, AzureEnvironment.AZURE);
}
@Override
public String getSubscriptionId() {
return this.subscriptionId;
}
}
azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials());
final ServicePrincipal servicePrincipal =
azureAuthClient.servicePrincipals()
.define(clusterId)
.withNewApplication("http://easycreate.azure.com/" + clusterId)
.definePasswordCredential("sppass")
.withPasswordValue("StrongPass!12")
.attach()
.create();
正如我提到的,如果我们想要创建servicePrincipal,那么资源应该是
http://graph.windows.net
或https://graph.microsoft.com
因此,我们需要添加权限来操作Azure AD Graph API或Microsoft Graph API
不要忘记授予权限
我用Azure Active Directory API测试它。我在我这边工作正常
演示代码:
ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client,
tenant,
key,
AzureEnvironment.AZURE);
Azure.Authenticated azureAuthClient = Azure.configure().authenticate(credentials);
String clusterId = "xxxxxxx";
ServicePrincipal servicePrincipal =
azureAuthClient.servicePrincipals()
.define(clusterId)
.withNewApplication("http://easycreate.azure.com/" + clusterId)
.definePasswordCredential("sppass")
.withPasswordValue("StrongPass!12")
.attach()
.create();
根据错误信息,这表示您没有权限执行此操作。我假设凭证是用来创建servicePrincipal的。您提到可以创建资源组。用于创建资源组的资源是
https://management.azure.com
但是要创建servicePrincipal,资源应该是http://graph.windows.net
或https://graph.microsoft.com
。如果可能,请共享如何获取凭据的代码。@TomSun在步骤3中添加了如何获取凭据的信息。