How to get Group in Azure AD in Pulumi?

风格不统一 提交于 2020-06-17 15:52:18

问题


I'm trying to get a group in the Azure AD.

var group = Output.Create(
    GetGroup.InvokeAsync(
        new GetGroupArgs
        {
            Name = "Administrators"
        }));
PS C:\dev\___> pulumi preview
Previewing update (dev):
     Type                 Name          Plan     Info
     pulumi:pulumi:Stack  Frontend-dev           1 error

Diagnostics:
  pulumi:pulumi:Stack (Frontend-dev):
    error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
    Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here:

    Alternatively you can authenticate using the Azure CLI by using a User Account.")
       at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
       at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
       at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
       at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
       at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
       at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
       at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
       at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
       at Pulumi.Deployment.Runner.WhileRunningAsync()

The Pulumi.dev.yaml contains the service principal credentials.

I followed the instructions to create a service principal and configure it with the appropriate permissions.

The error message talks about some instructions:

To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: <- No link

Can anyone help me find those instructions so that I can sort out what I may have missed?


回答1:


Somewhere in the documentation, we're asked to put the credentials in the Pulumi.<stack>.yml via pulumi config set azure:* commands which led me to believe that that should be enough.

The thing is Pulumi.Azure will look for the settings in the azure namespace but Pulumi.AzureAD will look for the same settings in the azuread namespace.

So we not only need this:

pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"

But we also need run the below:

pulumi config set azuread:clientId "00000000000000000000000"
pulumi config set azuread:clientSecret "00000000000000000000000" --secret
pulumi config set azuread:tenantId "00000000000000000000000"
pulumi config set azuread:subscriptionId "00000000000000000000000"

Which will get us a Pulumi.<stack>.yml similar to this:

config:
  azure:clientId: 00000000000000000000000
  azure:clientSecret:
    secure: 00000000000000000000000000000000000000000000000XqZFM=
  azure:location: WestEurope
  azure:subscriptionId: 00000000000000000000000
  azure:tenantId: 00000000000000000000000
  azuread:clientId: 00000000000000000000000
  azuread:clientSecret:
    secure: 0000000000000000000000000000000000000000000000l3xbaY=
  azuread:subscriptionId: 00000000000000000000000
  azuread:tenantId: 00000000000000000000000

Alternatively, you may also specify environment variables in powershell:

$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"

After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.

There's github issue resolved.



来源:https://stackoverflow.com/questions/62259552/how-to-get-group-in-azure-ad-in-pulumi

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!