0
点赞
收藏
分享

微信扫一扫

【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory

问题描述

在使用 Key Vault 和 Azure CLI 管理存储帐户密钥的官方文档中,其中有一步是“​​向 Key Vault 授予对你的存储帐户的访问权限​​”, 其中CLI命令中使用的--assignee-object-id参数值为2330fcd0-aceb-49c4-a58f-27980b31efc5,根据说明其值为Azure 中国云中 Key Vault 的对象 ID,固定不变。但是在执行时,则出现如下错误:

Principal 2330fcd0aceb49c4a58f27980b31efc5 does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

完整的错误消息体为:

### 1
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id "xxxxxxxx-xxxx-xxxx-xxxx-efe0ge7cxxxx" --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/testsa01"
报错:
Failed to query --assignee-principal-type for xxxxxxxx-xxxx-xxxx-xxxx-efe0ge7cxxxx by invoking Graph API.
RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually.
Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

### 2

az role assignment create --role "Storage Account Key Operator Service Role" --assignee "https://vault.azure.cn" --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/testsa01"
报错:
Cannot find user or service principal in graph database for 'https://vault.azure.cn'. If

 

 

问题原因

文档描述错误,Azure中国云为Key Vault注册的对象ID(Object)并不是固定不变,在每个不同的租户下,其值不同。只有Key Vault中Application ID保持不变。正如文档中描述的:

【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory_Azure Key Vault

解决办法

根据Azure Key Vault的应用程序ID获取在Azure AAD中查找到正确的Object ID。然后执行az role assignment create命令

az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id <right key vault object id in --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

获取Key Vault的Object ID方式如下:

第一步:进入Azure AD, 在overview页面搜索key vault的application id(此ID为固定值 cfa8b339-82a2-471a-a3c9-0fc0be7a4093,见:https://docs.azure.cn/zh-cn/key-vault/secrets/overview-storage-keys#service-principal-application-id)

【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory_microsoft_02

 

第二步:点击进入Key Vault页面查看Object ID

【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory_ide_03

 

第三步:获取到Key Vault的Object ID后,执行CLI命令成功

【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory_microsoft_04

 

 

参考文档

使用 Key Vault 和 Azure CLI 管理存储帐户密钥: ​​https://docs.azure.cn/zh-cn/key-vault/secrets/overview-storage-keys#give-key-vault-access-to-your-storage-account​​

当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!



举报

相关推荐

0 条评论