授予对另一个 Azure 租户中的服务主体的访问权限
chi*_*mar 1 azure azure-active-directory terraform terraform-provider-azure sre
我们通过 Jenkins 在 Azure 租户中部署资源,Jenkins 使用 terraform 来配置基础设施资源。我们使用同一租户中的服务主体进行身份验证和基础设施配置。在我们的基础设施部署中,我们还与已部署的新 Vnet 以及拥有所有基础设施资源(如监控和日志记录平台)的中央 VNET 创建 VNET 对等互连。现在我们有一个用例,通过使用相同的 Jenkins 和 terraform 脚本,我们希望在不同的租户上配置资源。这可以通过使用远程租户的服务主体来完成。但现在的问题是服务主体TenantB无权创建网络资源TenantA。为了实现这一点,服务主体TenantB应该能够访问 中的 Vnet TenantA。我正在寻找文档或指导,我们如何才能访问TenantB我们的服务主体TenantA?
- Hoping that you have created a service principal a service principal
using multi-tenant authentication (if single-tenant please change the
authentication method to multi-tenant) , add a redirect uri
https://www.microsoft.com.
After you have created the service principal you can open the below url in a private browser for adding it on another tenant:
Run Code Online (Sandbox Code Playgroud)https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Application (client in tenant A) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2FIt will ask for authorization on behalf of organization , you can accept it.
完成上述操作后,您可以登录该租户的门户并转到企业应用程序,您将看到,为该订阅提供角色分配(所有者/贡献者)。
- After this is done you can use something like the below terraform script:
provider "azurerm" {
alias = "tenantA"
subscription_id = "b83c1ed3-xxxxx-xxxxxx-xxxxxx-xxxxxx" #subid for tenant A
tenant_id = "72f988bf-xxxxxx-xxxxx-xxxxxxx-xxxxxx"#tenantid of tenant A
client_id = "f6a2f33d-xxxx-xxxx-xxxxx-xxxxxxxx"#client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxx"#client secret of service principal in tenant A
auxiliary_tenant_ids = ["ab078f81-xxxxxx-xxxxxxxx-xxxxxx"]# tenant id of tenant B
features {}
}
provider "azurerm"{
alias = "tenantB"
subscription_id = "88073b30-xxx-xxxxx-xxxxx-xxxxxxx"#sub id of tenant B
tenant_id = "ab078f81-xxxxx-xxxxxxx-xxxxxxxxx" # tenant id of tenant B
client_id = "f6a2f33d-xxxx-xxxxxx-xxxxxx-xxxxxx" #client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxxx" #client secret of service principal in tenant A
auxiliary_tenant_ids = ["72f988bf-xxxx-xxxxx-xxxxxxxxxx-xx"] # tenant id of tenant A
features {}
}
data "azurerm_resource_group" "tenantARG"{
provider = azurerm.tenantA
name = "reswourcegroup"
}
data "azurerm_resource_group" "tenantBRG"{
provider = azurerm.tenantB
name = "ansuman-resourcegroup"
}
data "azurerm_virtual_network" "GlobalVnet"{
provider = azurerm.tenantA
name = "ansuman-vnet"
resource_group_name= data.azurerm_resource_group.tenantARG.name
}
data "azurerm_virtual_network" "tenantBVnet"{
provider = azurerm.tenantB
name = "test-vnet"
resource_group_name= data.azurerm_resource_group.tenantBRG.name
}
resource "azurerm_virtual_network_peering" "example-1" {
provider= azurerm.tenantA
name = "peer1to2"
resource_group_name = data.azurerm_resource_group.tenantARG.name
virtual_network_name = data.azurerm_virtual_network.GlobalVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.tenantBVnet.id
}
resource "azurerm_virtual_network_peering" "example-2" {
provider = azurerm.tenantB
name = "peer2to1"
resource_group_name = data.azurerm_resource_group.tenantBRG.name
virtual_network_name = data.azurerm_virtual_network.tenantBVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.GlobalVnet.id
}
Output:
笔记: In my test case , I have used 2 vnets present in different tenants. I created a service principal in tenant A and provided contributor permissions to it in tenant B using the above methods and then used terraform to perform the vnet peering.
| 归档时间: |
|
| 查看次数: |
3338 次 |
| 最近记录: |