尝试将service principal分配给Azure容器注册表无济于事。Azure docs声明了以下内容...
您可以将服务主体分配给注册表,您的应用程序或服务可以使用它进行无头身份验证
我希望通过terraform来实现这一点,但我在Azure provider azurerm_container_registry
docs (managed)中看不到任何类型的服务主体选项...
resource "azurerm_resource_group" "rg" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "${azurerm_resource_group.rg.location}"
sku = "Premium"
admin_enabled = false
georeplication_locations = ["East US", "West Europe"]
}
我希望找到一个service_principal
节,比如azurerm_kubernetes_cluster
resource中提供的内容……
resource "azurerm_kubernetes_cluster" "test" {
// [...]
service_principal {
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "00000000000000000000000000000000"
}
}
我是不是想错了?在服务主体如何发挥作用方面,似乎与许多Azure资源脱节。我认为不断发展的API是罪魁祸首,但这似乎是一个简单的问题……也许我完全搞错了。有什么想法?
发布于 2018-12-14 09:32:25
在AKS和ACR之间有一些不同的服务主体。
对于AKS,需要创建pods或服务访问ACR的secret,该secret设置在yaml文件中。所以它同时需要client_id和client_secret。
但对于ACR,您需要一个具有与之关联的特定权限的服务主体,以便其他人访问它。因此,您只需使用权限设置和client_id将服务主体分配给ACR。terraform代码如下所示:
resource "azurerm_resource_group" "rg" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "${azurerm_resource_group.rg.location}"
sku = "Premium"
admin_enabled = false
georeplication_locations = ["East US", "West Europe"]
}
resource "azurerm_azuread_service_principal" "test" {
application_id = "${azurerm_azuread_application.test.application_id}"
}
resource "azurerm_azuread_service_principal_password" "test" {
service_principal_id = "${azurerm_azuread_service_principal.test.id}"
value = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
end_date = "2020-01-01T01:02:03Z"
}
resource "azurerm_role_assignment" "test" {
scope = "${azurerm_container_registry.acr.id}"
role_definition_id = "Contributor"
principal_id = "${azurerm_azuread_service_principal_password.test.service_principal_id}"
}
有关详细信息,请参阅azurerm_role_assignment。希望这能对你有所帮助。如果你需要更多的帮助,请告诉我。
https://stackoverflow.com/questions/53771773
复制相似问题