问题
I have a C# application that will create Resource Groups. I'm using the ResourceManagementClient to create the resource group (which I assume is just a wrapper for their REST API). I'm using an Azure AD application's Client ID and Client Secret to authenticate.
I'm getting this error:
{"The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxx/resourcegroups/test-resource-group'."}
Is there a way I can give this permission at the subscription level to an Azure AD application?
回答1:
The steps to configure this are:
- Register application in Azure AD (sounds like you've already done this)
- Create corresponding service principal for your application (this may or may not have been done automatically when you registered the application - it depends on the method you used for registration)
- Assign the service principal RBAC access to the subscription(s).
The steps are described in detail here.
I believe you'll need to assign your service principal the Contributor role to enable resource group creation.
回答2:
You can also use the Azure CLI, which allows you to automate the task of creating a service principal. I did the following (from here):
- Install for your platform
- run
az loginto log into Azure w/your intended account - run
az ad sp create-for-rbacto create an Azure Active Directory Application with access to Azure Resource Manager for the current Azure Subscription - You can fetch the subscription ID in which the Service Principal was created using:
az account list --query "[?isDefault].id" -o tsv
I wrote this code in a gist for macOS here
来源:https://stackoverflow.com/questions/37688395/adding-write-permission-for-creating-resource-groups-to-an-azure-active-director