英文:
Azure multi subscription RBAC for a service princpal
问题
我有2个Azure订阅。Subscription_1用于创建VNET/SUBNET。Subscription_2用于在该VNET内创建VM。
为了进行部署,我正在创建2个服务主体。SPN_1将部署VNET/SUBNET。
SPN_2将部署VM。
要使SPN_2能够部署VM,我需要让SP_2具有"network contributor" RBAC权限访问Subscription_1。
我查看了文档,但文档非常不详细,没有提供更新的示例:https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-update
我应该如何更新SP_1以实现这一点?有哪些CLI命令可以实现这个目标?
英文:
I have 2 Azure subscriptions. Subscription_1 is used to create a VNET/SUBNET. Subscription_2 is used to create a VM inside that VNET.
To do the deployment, I am creating 2 Services principals. SPN_1 will deploy the VNET/SUBNET.
SPN_2 will deploy the VM.
az ad sp create-for-rbac --name SP_1 --role contributor --scopes /subscriptions/mySubscriptionID_of_Subscription_1
az ad sp create-for-rbac --name SP_2 --role contributor --scopes /subscriptions/mySubscriptionID_of_Subscription_2
However, for SPN_2 To deploy the VM , I need SP_2 to have "network contributor" RBAC to Subscription_1.
I looked at the documentation, and it is very poor and does not give examples of update : https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-update
How can I update the SP_1 to do so ? What are the CLI to achieve this ?
答案1
得分: 1
不需要创建多个服务主体:
- 使用
az ad sp create-for-rbac创建一个服务主体。 - 使用
az role assignment create分配角色。
以下是 PowerShell 示例:
# 创建服务主体
$spCredentials = az ad sp create-for-rbac --name SP_1 | ConvertFrom-Json
# 获取服务主体详细信息
$spDetails = az ad sp show --id $spCredentials.appId | ConvertFrom-Json
# 为订阅1创建 Contributor 角色分配
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# 为订阅1创建 Network Contributor 角色分配
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "network contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# 为订阅2创建 Contributor 角色分配
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_2
英文:
You dont need to create multiple service principal:
- Create one service principal using
az ad sp create-for-rbac. - Assign role using
az role assignment create.
Here is a powershell example:
# Create service principal
$spCredentials = az ad sp create-for-rbac --name SP_1 | ConvertFrom-Json
# Get SP details
$spDetails = az ad sp show --id $spCredentials.appId | ConvertFrom-Json
# Create contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# Create network contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "network contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1
# Create contributor role assignment for subscription2
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor"--scope /subscriptions/mySubscriptionID_of_Subscription_2
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论