Azure发布管道，terraform任务-无法通过Azure进行身份验证，报告错误700016

Question

在我从UI删除应用程序注册/服务主体并使用以下命令创建新的应用程序之前，我的发布管道运行良好。

az ad sp create-for-rbac --name <Name of Service Principal> --password <Password>

我更新了从上面“变量组”中从上面获得的值，这些值链接到发布管道

但是，当我获得如下定义的terrafor计划任务时：

Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" -var "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" -var "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" -var "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)"

我收到以下错误消息：

* provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '***()' was not found in the directory '***'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 7a1e3f3a-5171-4044-b59a-49a78d3df300\r\nCorrelation ID: f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd\r\nTimestamp: 2019-03-12 10:22:16Z","error_codes":[700016],"timestamp":"2019-03-12 10:22:16Z","trace_id":"7a1e3f3a-5171-4044-b59a-49a78d3df300","correlation_id":"f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd","error_uri":"https://login.microsoftonline.com/error?code=700016"}
2019-03-12T10:22:16.4925828Z 

此任务之前就是cmd任务，该任务使用服务主体执行z帐户登录。在日志输出中，我可以清楚地看到az帐户的输出显示了为什么该任务无法正常工作？

CMD任务的输出，

2019-03-12T11:58:05.4615044Z Environment variable -x not defined
2019-03-12T11:58:05.4615608Z ***
2019-03-12T11:58:05.4667686Z ***
2019-03-12T11:58:05.4668423Z ***
2019-03-12T11:58:05.4669112Z ***
2019-03-12T11:58:05.4669557Z "Subscription ID=> ***"
2019-03-12T11:58:48.5462240Z [
2019-03-12T11:58:48.5463710Z   {
2019-03-12T11:58:48.5464432Z     "cloudName": "AzureCloud",
2019-03-12T11:58:48.5464946Z     "id": "***",
2019-03-12T11:58:48.5465917Z     "isDefault": true,
2019-03-12T11:58:48.5469154Z     "name": "Visual Studio Enterprise",
2019-03-12T11:58:48.5469568Z     "state": "Enabled",
2019-03-12T11:58:48.5469843Z     "tenantId": "***",
2019-03-12T11:58:48.5470058Z     "user": {
2019-03-12T11:58:48.5470290Z       "name": "***",
2019-03-12T11:58:48.5470496Z       "type": "servicePrincipal"
2019-03-12T11:58:48.5471388Z     }
2019-03-12T11:58:48.5471648Z   }
2019-03-12T11:58:48.5471999Z ]

其定义如下：

echo $(TF_VAR_ARM_SUBSCRIPTION_ID)

echo $(TF_VAR_ARM_TENANT_ID)

echo $(TF_VAR_ARM_CLIENT_SECRET)

echo $(TF_VAR_ARM_CLIENT_ID)

echo "Subscription ID=> $(TF_VAR_ARM_SUBSCRIPTION_ID)"

az login --service-principal -u  $(TF_VAR_ARM_CLIENT_ID) -p  $(TF_VAR_ARM_CLIENT_SECRET) --tenant $(TF_VAR_ARM_TENANT_ID)

az account show

在我能够毫无问题地配置资源之前。

Answer 1

希望您已经解决了这个问题，但是如果其他人遇到类似的问题，这就是我解决相同错误的方法。如果您使用服务主体进行身份验证，则需要确保azurerm提供程序具有所有必需的值（这会在正常的azure cli登录中自动发生，因为它会为您设置适当的env变量）。最简单的方法是确保您的提供程序的设置如下所示（并且通过--var或--var-file为每个变量提供了适当的值。

provider "azurerm" {
  version         = "=1.24.0"
  tenant_id       = "${var.tenant}"
  subscription_id = "${var.subscription}"
  client_id       = "${var.client_id}"
  client_secret   = "${var.client_secret}"
}