【Azure 环境】如何解决Principal 2330xxxxxxxxxxxxxxxxxxxx31efc5 does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx问题

问题描述

在使用 Key Vault 和 Azure CLI 管理存储帐户密钥的官方文档中,其中有一步是“向 Key Vault 授予对你的存储帐户的访问权限”, 其中CLI命令中使用的--assignee-object-id参数值为2330fcd0-aceb-49c4-a58f-27980b31efc5,根据说明其值为Azure 中国云中 Key Vault 的对象 ID,固定不变。但是在执行时,则出现如下错误:

Principal 2330fcd0aceb49c4a58f27980b31efc5 does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

完整的错误消息体为:

### 1
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id "xxxxxxxx-xxxx-xxxx-xxxx-efe0ge7cxxxx" --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/testsa01" 报错: Failed to query --assignee-principal-type for xxxxxxxx-xxxx-xxxx-xxxx-efe0ge7cxxxx by invoking Graph API. RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually. Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
### 2
az role assignment create
--role "Storage Account Key Operator Service Role" --assignee "https://vault.azure.cn" --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/testsa01" 报错: Cannot find user or service principal in graph database for 'https://vault.azure.cn'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id https://vault.azure.cn'

 

 

问题原因

文档描述错误,Azure中国云为Key Vault注册的对象ID(Object)并不是固定不变,在每个不同的租户下,其值不同。只有Key Vault中Application ID保持不变。正如文档中描述的:

解决办法

根据Azure Key Vault的应用程序ID获取在Azure AAD中查找到正确的Object ID。然后执行az role assignment create命令

az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id <right key vault object id in AAD> --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

获取Key Vault的Object ID方式如下:

第一步:进入Azure AD, 在overview页面搜索key vault的application id(此ID为固定值 cfa8b339-82a2-471a-a3c9-0fc0be7a4093,见:https://docs.azure.cn/zh-cn/key-vault/secrets/overview-storage-keys#service-principal-application-id)

 

第二步:点击进入Key Vault页面查看Object ID

 

第三步:获取到Key Vault的Object ID后,执行CLI命令成功

 

 

参考文档

使用 Key Vault 和 Azure CLI 管理存储帐户密钥https://docs.azure.cn/zh-cn/key-vault/secrets/overview-storage-keys#give-key-vault-access-to-your-storage-account

posted @ 2021-01-16 18:28  路边两盏灯  阅读(1643)  评论(0编辑  收藏  举报