旋转Azure中的AAD秘密

时间:2019-10-08 10:49:24

标签: bash azure gitlab azure-active-directory azure-cli

我正在尝试为AKS旋转AAD服务器应用程序秘密。

当我在Mac上本地进行操作时,它可以工作,但是一旦我在管道gitlab中运行它,就会抛出此错误。

预期的行为是我的AKS更新了其凭据,并且我已经测试了机密是否正在更新,并且是否已经正确地调用和命名了一切,因此问题仅在于客户端机密。

我也尝试过以64为基数运行它,并且没有运气。

ERROR: Operation failed with status: 'Bad Request'. Details: The server application credentials in AADProfile were invalid. Please see https://aka.ms/aks-aad-integration for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 7c1e5c58-ec2a-4221-a297-3e1d1bcc6700\r\nCorrelation ID: 6015fdc3-2d56-4f4d-832f-7f456c55035a\r\nTimestamp: 2019-10-08 10:39:04Z","error_codes":[7000215],"timestamp":"2019-10-08 10:39:04Z","trace_id":"7c1e5c58-ec2a-4221-a297-3e1d1bcc6700","correlation_id":"6015fdc3-2d56-4f4d-832f-7f456c55035a","error_uri":"https://login.microsoftonline.com/error?code=7000215"}) 

#! /bin/bash

AZURE_AKS_SERVER_APP_ID=$(az ad app list --display-name ${AZURE_AKS_SERVER_APP} --query [0].appId -o tsv)
echo "AZURE_AKS_SERVER_APP_ID ${AZURE_AKS_SERVER_APP_ID}"
AZURE_AKS_CLIENT_APP_ID=$(az ad app list --display-name ${AZURE_AKS_CLIENT_APP} --query [0].appId -o tsv)
echo "AZURE_AKS_CLIENT_APP_ID ${AZURE_AKS_CLIENT_APP_ID}"
TenantID=$(az account show | jq -r '.tenantId')
echo "TenantID ${TenantID}"
serverApplicationSecret=$(az ad app credential reset --id ${AZURE_AKS_SERVER_APP_ID} --credential-description "AKSPassword" --password ${SECRET} --query password -o tsv | base64)
echo "serverApplicationSecret ${serverApplicationSecret}"


az aks update-credentials --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AZURE_RESOURCE_NAME_PREFIX}-crd-aks-${VARIANT}" \
 --reset-aad --aad-server-app-id "${AZURE_AKS_SERVER_APP_ID}" \
 --aad-server-app-secret "${serverApplicationSecret}" --aad-client-app-id "${AZURE_AKS_CLIENT_APP_ID}"

1 个答案:

答案 0 :(得分:0)

此问题的解决方案是,Azure用新凭据在所有区域填充其云大约需要90秒,因此sleep 100解决了此问题。

AZURE_AKS_SERVER_APP_ID=$(az ad app list --display-name ${AZURE_AKS_SERVER_APP} --query [0].appId -o tsv)
echo "AZURE_AKS_SERVER_APP_ID=${AZURE_AKS_SERVER_APP_ID}"

AZURE_AKS_CLIENT_APP_ID=$(az ad app list --display-name ${AZURE_AKS_CLIENT_APP} --query [0].appId -o tsv)
echo "AZURE_AKS_CLIENT_APP_ID=${AZURE_AKS_CLIENT_APP_ID}"

AZURE_TENANT_ID=$(az account show --query 'tenantId' -o tsv)
echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}"

AZURE_AKS_SERVER_APP_SECRET=$(az ad app credential reset --id ${AZURE_AKS_SERVER_APP_ID} --credential-description "AKSPassword" --query password -o tsv)
echo "AZURE_AKS_SERVER_APP_SECRET=${AZURE_AKS_SERVER_APP_SECRET}"

sleep 100

az aks update-credentials \
  --subscription ${AZURE_SUBSCRIPTION_NAME} \
  --resource-group ${AZURE_RESOURCE_GROUP} \
  --name ${AZURE_RESOURCE_NAME_PREFIX}-crd-aks-${VARIANT} \
  --reset-aad \
  --aad-tenant-id ${AZURE_TENANT_ID} \
  --aad-server-app-id ${AZURE_AKS_SERVER_APP_ID} \
  --aad-client-app-id ${AZURE_AKS_CLIENT_APP_ID} \
  --aad-server-app-secret ${AZURE_AKS_SERVER_APP_SECRET}
相关问题
最新问题