Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/azure/11.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
使用Azure java sdk创建服务主体失败_Azure_Azure Sdk - Fatal编程技术网
Fatal编程技术网
  • azure/
  • 使用Azure java sdk创建服务主体失败

使用Azure java sdk创建服务主体失败

azure

使用Azure java sdk创建服务主体失败,azure,azure-sdk,Azure,Azure Sdk,我正在尝试使用azure sdk创建服务主体。但是,我收到一个错误 {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}} 我做错了什么?我正在做以下工作: 创建具有所有者角色的服务主体 az ad sp create-for-rbac -n "OrbitTest5" --

我正在尝试使用azure sdk创建服务主体。但是,我收到一个错误

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
我做错了什么?我正在做以下工作:

  • 创建具有所有者角色的服务主体

    az ad sp create-for-rbac -n "OrbitTest5" --role Owner --sdk-auth
  • 通过环境变量将创建的服务主体的凭据传递给凭据提供程序

    public class AzureAppEnvCredentialProvider implements AzureCredentialProvider {
  public static final String ENV_CLIENT_ID = "CLIENT_ID";
  public static final String ENV_TENANT_ID = "TENANT_ID";
  public static final String ENV_SUBSCRIPTION_ID = "SUBSCRIPTION_ID";
  public static final String ENV_CLIENT_SECRET = "CLIENT_SECRET";

  private final String subscriptionId;

  public AzureAppEnvCredentialProvider() {
    this.subscriptionId = Preconditions.checkNotNull(System.getenv(ENV_SUBSCRIPTION_ID));
  }

  @Override
  public AzureTokenCredentials getCredentials() {
    final String clientId = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_ID));
    final String tenantId = Preconditions.checkNotNull(System.getenv(ENV_TENANT_ID));
    final String clientSecret = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_SECRET));
    return new ApplicationTokenCredentials(clientId, tenantId, clientSecret, AzureEnvironment.AZURE);
  }

  @Override
  public String getSubscriptionId() {
    return this.subscriptionId;
  }
}
  • 使用凭据使用java sdk创建服务主体

        azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials());

    final ServicePrincipal servicePrincipal = 
        azureAuthClient.servicePrincipals()
        .define(clusterId)
        .withNewApplication("http://easycreate.azure.com/" + clusterId)
          .definePasswordCredential("sppass")
          .withPasswordValue("StrongPass!12")
          .attach()
        .create();
  • 然后我得到一个例外。我知道我的凭据是有效的,因为我能够使用sdk创建资源组,并从Azure web控制台查看它

    com.microsoft.azure.management.graphrbac.GraphErrorException:状态代码403,{“odata.error”:{“code”:“Authorization_RequestDenied”,“message”:{“lang”:“en”,“value”:“权限不足,无法完成操作”。}} 位于sun.reflect.NativeConstructorAccessorImpl.newInstance0(本机方法) 位于sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 在sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 位于java.lang.reflect.Constructor.newInstance(Constructor.java:423) 位于com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122) 位于com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder.java:56) 位于com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createDelegate(ApplicationsInner.java:194) 位于com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.access$000(ApplicationsInner.java:45) 位于com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner.java:181) 位于com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner.java:177) 在rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69) 在2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120)处 位于2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102) 调用(CallExecuteOnSubscribe.java:46) 调用(CallExecuteOnSubscribe.java:24) at rx.Observable.unsafeSubscribe(Observable.java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.Observable.unsafeSubscribe(Observable.java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.Observable.unsafeSubscribe(Observable.java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.Observable.unsafeSubscribe(Observable.java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.Observable.unsafeSubscribe(Observable.java:10327) 在rx.internal.operators.operatorSubscribeeon$subscribeeOnSubscriber.call(operatorSubscribeen.java:100) 在rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:230) at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55) 位于java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 在java.util.concurrent.FutureTask.run(FutureTask.java:266)处 位于java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) 位于java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) 位于java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 位于java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 运行(Thread.java:748)

    • 正如我提到的,如果我们想要创建servicePrincipal,那么资源应该是
    http://graph.windows.net
    https://graph.microsoft.com

    因此,我们需要添加权限来操作Azure AD Graph API或Microsoft Graph API

    不要忘记授予权限

    我用Azure Active Directory API测试它。我在我这边工作正常

    演示代码:

    ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client,
               tenant,
                key,
                AzureEnvironment.AZURE);

Azure.Authenticated azureAuthClient = Azure.configure().authenticate(credentials);
String clusterId = "xxxxxxx";
ServicePrincipal servicePrincipal =
                azureAuthClient.servicePrincipals()
                        .define(clusterId)
                        .withNewApplication("http://easycreate.azure.com/" + clusterId)
                        .definePasswordCredential("sppass")
                        .withPasswordValue("StrongPass!12")
                        .attach()
                        .create();

    根据错误信息,这表示您没有权限执行此操作。我假设凭证是用来创建servicePrincipal的。您提到可以创建资源组。用于创建资源组的资源是
    https://management.azure.com
    但是要创建servicePrincipal,资源应该是
    http://graph.windows.net
    https://graph.microsoft.com
    。如果可能,请共享如何获取凭据的代码。@TomSun在步骤3中添加了如何获取凭据的信息。