问题
I'm trying to create subscriptions through an Azure DevOps pipeline on a hosted agent running as a service principal and am receiving the error:
New-AzSubscriptionAlias: /home/vsts/work/1/s/Azure.Automation/Subscriptions/Create-AzureSubscription.ps1:190
Line |
190 | $subscription = New-AzSubscriptionAlias `
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Operation returned an invalid status code 'Unauthorized'
How do I grant the service principal the required access?
回答1:
As it is written here in Programmatically create Azure subscriptions with the latest APIs
You must have an Owner role on an Enrollment Account to create a subscription. There are two ways to get the role:
- The Enterprise Administrator of your enrollment can make you an Account Owner (sign in required) which makes you an Owner of the Enrollment Account.
- An existing Owner of the Enrollment Account can grant you access. Similarly, to use a service principal to create an EA subscription, you must grant that service principal the ability to create subscriptions.
回答2:
If you need to use a service principal to create a subscription, then you must grant the service principal the Azure RBAC owner role.
You can use the New-AzRoleAssignment command to assign the owner role to your service principal.
To specify a user, use SignInName or Azure AD ObjectId parameters.
To specify a security group, use Azure AD ObjectId parameter. And to specify an Azure AD application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter.
回答3:
You need to use AzureRmRoleAssignment cmdlet to assign that service principal an Owner role.
We tracked it down to two missing permissions required by the underlying New-AzureRmRoleAssignment cmdlet that is called by the task -
- The Service Principal (SPN) used by Azure DevOps to connect to your Azure subscription requires the Owner role
- The same SPN also requires Read directory data permissions to your Azure AD
There is also a 3rd-party Azure Role Based Access Control task you could use in your azure devops pipeline.
More step by step tutorial, please refer this blog-- Service Principal considerations when using Azure DevOps to manage RBAC on Azure Resource Groups
来源:https://stackoverflow.com/questions/64764889/what-permissions-does-an-azure-service-principal-need-to-call-the-new-azsubscrip