我正在尝试从 api 读取databases/syncGroups
。
using Microsoft.Azure.Management.Fluent;
using Microsoft.Azure.Management.ResourceManager.Fluent;
var credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(clientId, clientSecret, tenantId, AzureEnvironment.AzureGlobalCloud);
azure = Azure.Configure().Authenticate(credentials).WithSubscription(subscriptionId);
azure.SqlServers.SyncGroups.GetBySqlServer(resourceGroupName, serverName, databaseName, syncGroupName);
身份验证似乎有效,但是当我打电话SyncGroups.GetBySqlServer
时,我得到
The client '***' with object id '***' does not have authorization to perform action 'Microsoft.Sql/servers/databases/syncGroups/read' over scope '/subscriptions/***/resourceGroups/***/providers/Microsoft.Sql/servers/***/databases/***/syncGroups/MyGroup' or the scope is invalid. If access was recently granted, please refresh your credentials.
在消息中,clientId 和 objectId 它被赋予了相同的 ID,而且,clientId 它不是我要传递的那个。所以我不知道这是正常的还是我做错了。
我试图将databases/syncGroups/read
添加到我的subscriptions/***
角色中。但它仍然得到同样的错误。
我还错过了什么?
我使用了错误的键。
这是我所做的
- 安装 azure-cli
brew update && brew install azure-cli
- 创建服务主体
az ad sp create-for-rbac --name MyApplicatinName
Changing "MyApplicatinName" to a valid URI of "http://MyApplicatinName", which is the required format used for service principal names
Creating a role assignment under the scope of "/subscriptions/***"
{
"appId": "***",
"displayName": "MyApplicatinName",
"name": "http://MyApplicatinName",
"password": "***",
"tenant": "***"
}
- 使用正确的凭据
clientId = appId
clientSecret = password
var credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(clientId, clientSecret, tenantId, AzureEnvironment.AzureGlobalCloud);
var auth = Azure.Configure().Authenticate(credentials);
azure = auth.WithSubscription(subscriptionId);
就是这样!
参考