尝试将service principal分配给Azure容器注册表无济于事。 Azure docs声明以下内容...
您可以将服务主体分配给注册表,您的应用程序或服务可以将其用于无头认证
我希望通过terraform进行此操作,但是在Azure provider azurerm_container_registry docs (managed) ...
App.py
index.py
app1.py
app2.py
我希望找到一个resource "azurerm_resource_group" "rg" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "${azurerm_resource_group.rg.location}"
sku = "Premium"
admin_enabled = false
georeplication_locations = ["East US", "West Europe"]
}
节,例如azurerm_kubernetes_cluster resource中可用的节...
service_principal我在想这个错误的方式吗?在服务主体如何发挥作用方面,许多Azure资源似乎存在脱节。我认为应该指责不断发展的API,但这似乎是一个简单的问题……也许我在这里完全不合时宜。有想法吗?
答案 0 :(得分:0)
带有服务主体的AKS和ACR之间有所不同。
对于AKS,它需要为Pod或服务创建一个秘密以访问ACR,并且该秘密在yaml文件中设置。因此,它同时需要client_id和client_secret。
但是对于ACR,您需要具有特定权限的服务主体,其他人才能访问它。因此,您只需要使用权限设置和client_id将服务主体分配给ACR。 terraform代码如下:
resource "azurerm_resource_group" "rg" {
name = "resourceGroup1"
location = "West US"
}
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "${azurerm_resource_group.rg.location}"
sku = "Premium"
admin_enabled = false
georeplication_locations = ["East US", "West Europe"]
}
resource "azurerm_azuread_service_principal" "test" {
application_id = "${azurerm_azuread_application.test.application_id}"
}
resource "azurerm_azuread_service_principal_password" "test" {
service_principal_id = "${azurerm_azuread_service_principal.test.id}"
value = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
end_date = "2020-01-01T01:02:03Z"
}
resource "azurerm_role_assignment" "test" {
scope = "${azurerm_container_registry.acr.id}"
role_definition_id = "Contributor"
principal_id = "${azurerm_azuread_service_principal_password.test.service_principal_id}"
}
有关更多详细信息,请参见azurerm_role_assignment。希望这会帮助你。如果您需要更多帮助,请告诉我。