我已经设置了一个 Azure Function 应用程序,它将使用收到的输入启动自定义 Azure 容器。我遇到了一些权限问题,不知道如何从这里开始。 在我的函数应用程序中,以下代码负责标识:
var defaultCredential = new DefaultAzureCredential();
var defaultToken = defaultCredential.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" })).Token;
var defaultTokenCredentials = new Microsoft.Rest.TokenCredentials(defaultToken);
var azureCredentials = new Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials(defaultTokenCredentials, defaultTokenCredentials, null, AzureEnvironment.AzureGlobalCloud);
// Initialize the Azure management client
var azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.Authenticate(azureCredentials)
.WithSubscription("06bbdd51-XXXX-XXXX-XXXX-f6f6ca95be64");
函数应用程序已通过托管身份启用,如下所示,通过我作为贡献者的资源组。
执行并监控实时指标和日志后,我收到如下所示的权限问题:
Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: RequestHandler ---> Microsoft.Rest.Azure.CloudException: The client 'a151aed5-XXXX-XXXX-XXXX-f267790603ea' with object id 'a151aed5-XXXX-XXXX-XXXX-f267790603ea' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/write' over scope '/subscriptions/06bbdd51-XXXX-XXXX-XXXX-f6f6ca95be64/resourceGroups/asm/providers/Microsoft.ContainerInstance/containerGroups/asmexecution' or the scope is invalid. If access was recently granted, please refresh your credentials. at Microsoft.Azure.Management.ContainerInstance.Fluent.ContainerGroupsOperations.BeginCreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String containerGroupName, ContainerGroupInner containerGroup, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.Management.ContainerInstance.Fluent.ContainerGroupsOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String
我不确定接下来的步骤是什么,如果有任何帮助或协助,将不胜感激。
对象 ID 为“a15XXXX603ea”的客户端“a151aed5-XXX3ea”无权在范围“/subscriptions/06bbdd51XXe64/resourceGroups/asm/providers/Microsoft.ContainerInstance/containerGroups/”上执行操作“Microsoft.ContainerInstance/containerGroups/write” asmexecution' 或范围无效。
要解决此错误,您必须将 Contributor 角色分配给 Subscription 中的 User。
当我尝试使用以下代码创建资源组时,出现了相同的错误:
代码片段:
var subscriptionid="<subscription_id>";
string resourceGroupName = "<resource_group_name>";
string region = "eastus";
var defaultCredential = new DefaultAzureCredential();
var defaultToken = defaultCredential.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" })).Token;
var defaultTokenCredentials = new Microsoft.Rest.TokenCredentials(defaultToken);
var azureCredentials = new Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials(defaultTokenCredentials, defaultTokenCredentials, null, AzureEnvironment.AzureGlobalCloud);
var azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.Authenticate(azureCredentials)
.WithSubscription(subscriptionid);
var resourceGroup = await azure.ResourceGroups
.Define(resourceGroupName)
.WithRegion(region)
.CreateAsync();
要解决此问题,请为我的订阅中的 UserID 分配 Contributor 角色。
传送门: