构建 AzureRM 客户端时出错：从 Azure CLI 填充客户端 ID 时出错：未找到授权令牌

Question

您之前是否遇到过主题行中提到的错误？，我对此很感兴趣，但无法解决。以下是我为创建服务主体而执行的步骤

az login
-- Gives me a device code to enter in browser
Login to az non-interactively
az account set --subscription="xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Check correct account by
az account show

Create a SP
az ad sp create-for-rbac -n "tf-authenticator" --role contributor

运行 terraform 计划，如下所示：

[jim@rhel75 msdn]$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

azurerm_resource_group.tf-rg-cluster-sql: Refreshing state...       os_profile_windows_config.1060902566.enable_automatic_upgrades:     "true"



Plan: 28 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

现在，我再次运行 terraform 并收到未找到授权令牌的错误！

[jim@rhel75 msdn]$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


Error: Error refreshing state: 1 error(s) occurred:

* provider.azurerm: Error building AzureRM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using `az login`.

请注意，我在 1. CentOS 7.6 2. Ubuntu 16.04 3. Azure Pipelines Release Pipeline（使用 Ubuntu 16.04 代理）上测试了相同的行为

更新：当我尝试创建 SP 时遇到一个奇怪的错误。我已经有我的默认订阅，但仍然运行以下命令并收到错误：

az ad sp create-for-rbac -n "tf-authenticator" --role="Contributor" --scopes="/subscriptions/xxxxxxxxxxxxxxxxxxx"

错误信息：

Changing "tf-authenticator" to a valid URI of "http://tf-authenticator", which is the required format used for service principal names
Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'bd58677d-d0a4-46a5-9b5a-02c6662ae149' was not found in the directory '055b56f0-423b-4b1a-b6bc-6ae09ab61485'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: cc58c97b-2247-4bf7-ab6c-7d1b993f0b00\r\nCorrelation ID: 42540a48-7d44-494b-9dc2-a8dd9d6c10b7\r\nTimestamp: 2019-03-14 00:46:49Z","error_codes":[700016],"timestamp":"2019-03-14 00:46:49Z","trace_id":"cc58c97b-2247-4bf7-ab6c-7d1b993f0b00","correlation_id":"42540a48-7d44-494b-9dc2-a8dd9d6c10b7","error_uri":"https://login.microsoftonline.com/error?code=700016"}

我进一步深入研究，这与 azure 令牌有关，因为我可以使用 Azure CLI 本身创建 VM 实例，请参阅下面的证据：

az vm create   --resource-group "myResourceGroup"   --name "myVM"   --image "Win2016Datacenter"   --admin-username "Demouser"   --admin-password "Demouser@123"   --use-unmanaged-disk   --location "Australia Southeast"
Azure Error: InvalidTemplateDeployment
Message: The template deployment failed with error: 'The resource with id: '/subscriptions/11855b5b-484f-4104-b77b-a73eb8cd74dc/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM' failed validation with message: 'The requested size for resource '/subscriptions/11855b5b-484f-4104-b77b-a73eb8cd74dc/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM' is currently not available in location 'australiasoutheast' zones '' for subscription '11855b5b-484f-4104-b77b-a73eb8cd74dc'. Please try another size or deploy to a different location or zones. See https://aka.ms/azureskunotavailable for details.'.'.

它没有启动虚拟机，但至少很清楚，如果大小合适，它可以继续运行。

Answer 1

您可以尝试遵循此文档 - https://learn.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-bash?tabs=bash

• 您需要创建环境变量才能部署azure门户
• 另一件事 - 你需要在 .tf 文件中有环境变量
• 我建议您不要以纯文本形式存储秘密
• 如果您使用azure devops管道进行部署，您可以将其存储在keyvault或变量中
• 如果您将 terraform cloud 与工作区一起使用，您可以将其存储在变量中