GitHub Actions未使用Azure中正确的SPN执行Terraform。

huangapple go评论62阅读模式
英文:

github actions not using right spn from azure to execute terraform

问题

I'm using github actions to deploy terraform code into azure.
我正在使用 GitHub Actions 部署 Terraform 代码到 Azure。

I made a dev environment, deployments worked perfectly. But now I'm going to prd, new subscription, new storage account where the state will be written to, new spn.
我创建了一个开发环境,部署工作完美。但现在我要去生产环境,新的订阅,新的存储帐户,用于写入状态,新的服务主体。

The spn has same rights on storage account, and on subscription, as the dev one on its subscription.
服务主体在存储帐户和订阅上具有与开发环境的相同权限。

I've written the right details in the backend block, referring to the new storage account, I've created new github action secrets, referring to the new spn, and I've used these secrets in my yml workflow file.
我在后端块中写入了正确的详细信息,引用了新的存储帐户,我创建了新的 GitHub Actions 机密,引用了新的服务主体,并在我的 YAML 工作流文件中使用了这些机密。

But still, I'm getting this error:
但是仍然出现以下错误:

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxx": storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/xxx/resourceGroups/rg-terraform-state-weu/providers/Microsoft.Storage/storageAccounts/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
错误:获取现有工作区失败:检索存储帐户 "xxx" 的密钥时出错:storage.AccountsClient#ListKeys:响应请求失败:StatusCode=403 -- 原始错误:autorest/azure:服务返回错误。 Status=403 Code="AuthorizationFailed" Message="客户端 'xxx',对象标识 'xxx' 无权在范围 '/subscriptions/xxx/resourceGroups/rg-terraform-state-weu/providers/Microsoft.Storage/storageAccounts/xxxx' 上执行操作 'Microsoft.Storage/storageAccounts/listKeys/action',或范围无效。如果最近授予了访问权限,请刷新您的凭据。"

I find it strange, the 'client' or 'object ID' they are talking about is not the application ID I've entered in the secret. Shouldn't this be the case? Or what else could be wrong?
我觉得很奇怪,他们所说的 'client' 或 'object ID' 并不是我在机密中输入的应用程序 ID。这不应该是这种情况吗?还有其他可能出错的地方吗?

英文:

I'm using github actions to deploy terraform code into azure.
I made a dev environment, deployments worked perfectly. But now I'm going to prd, new subscription, new storage account where the state will be written to, new spn.
The spn has same rights on storage account, and on subscription, as the dev one on its subscription. I've written the right details in the backend block, referring to the new storage account, I've created new github action secrets, referring to the new spn, and I've used these secrets in my yml workflow file.
But still, I'm getting this error:

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxx": storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/xxx/resourceGroups/rg-terraform-state-weu/providers/Microsoft.Storage/storageAccounts/xxxx ' or the scope is invalid. If access was recently granted, please refresh your credentials." 

I find it strange, the 'client' or 'object ID' they are talking about is not the application ID I've entered in the secret. Shouldn't this be the case? Or what else could be wrong?

答案1

得分: 0

没有太多可依据的信息。

我以前遇到过一些问题,大多数情况下只是将秘密放在错误的地方或者命名秘密错误的小错误。您是否有包含该应用程序ID的 Repo/Org 密钥?

英文:

No much to go on here.

I've had some issue with this before, and mostly it's just a little mistake of putting the secret in the wrong place, or naming the secret wrong. Do you have ie. Repo/Org secrets that has that Application ID in it's secret?

huangapple
  • 本文由 发表于 2023年7月3日 18:06:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76603739.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定