目前,我有两个订阅:S01和S02。我在S02中运行了一个需要访问S01资源的Runbook。
当我运行命令Get-AzureRmSubscription -SubscriptionName S01时,它甚至无法找到订阅。下面是代码和输出的示例:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
Write-Output "Logging in to Azure..."
$Account = Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-Verbose `
-ErrorAction Stop
Write-Output "***** LOGGED IN ($((Get-AzureRmContext).Subscription.SubscriptionName)). *******"
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else
{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Write-Output "Current subscription using Get-AzureRmSubscription:"
Get-AzureRmSubscription
Write-Output "==============================================================="
Write-Output "Switch subscription using Select-AzureRmSubscription:"
Get-AzureRmSubscription -SubscriptionName "S01" | Select-AzureRmSubscription
Write-Output "==============================================================="
Write-Output "Switch subscription using Set-AzureRmContext:"
Set-AzureRmContext -SubscriptionName "S01"
Write-Output "==============================================================="
输出:
Logging in to Azure...
VERBOSE: Performing the operation "log in" on target "ServicePrincipal account in environment 'AzureCloud'".
***** LOGGED IN (S02). *******
Current subscription using Get-AzureRmSubscription:
WARNING: Unable to acquire token for tenant 'Common'
SubscriptionId : 2f301a20-22a3-b321-2a3c-829ac3d4e39a
SubscriptionName : S02
State : Enabled
TenantId : e2g374a3-8732-3466-9876-a7cd32b208de
CurrentStorageAccountName :
===============================================================
Switch subscription using Select-AzureRmSubscription:
WARNING: Unable to acquire token for tenant 'Common'
ERROR: Get-AzureRmSubscription : Subscription S01 was not found in tenant . Please verify that the subscription
exists in this tenant.
At line:37 char:2
+ Get-AzureRmSubscription -SubscriptionName "S01" | Sele ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand
===============================================================
Switch subscription using Set-AzureRmContext:
ERROR: Set-AzureRmContext : Provided subscription S01 does not exist
At line:41 char:2
+ Set-AzureRmContext -SubscriptionName "S01"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmContext], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand
===============================================================
我想这一切都围绕AzureRunAsConnection和AzureRunAsCertificate并使用ServicePrincipal。我的猜测是我需要使用S01的AzureRunAsConnect登录,我认为这意味着我需要将证书从S01和S02中取出,但我没有太多运气将S01的RunAsCertificate导出并导入S02
我已经尝试创建自己的AD应用程序,但我似乎也无法使用它。
我确定它必须是可能的,但是怎么样?我接近了,正确的方法是什么?
P.S。两个订阅"分享"相同的Azure AD。
TIA
答案 0 :(得分:1)
您无法将已分配的证书导出到Service Principal。所以你有两个选择:
无论您选择哪种方法,都应该在此处查看有关创建服务主体,证书等的逐步说明:https://docs.microsoft.com/en-us/azure/automation/automation-sec-configure-azure-runas-account#update-an-automation-account-using-powershell