问题描述

另一个用户身份问题.我为我的VM分配了2个UAI.这些UAI被分配给读取器".角色在存储容器和密钥库上.当我查询元数据时，得到以下信息:

root @ danno1:/opt/bootstrap#curl'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure. net/'-H元数据:true
{错误":"invalid_request"，错误描述":找不到身份"}

Another user identity question.. I have 2 UAI assigned to my VM. These UAI are assigned to "reader" roles on a storage container and a keyvault. When I query the metadata I get this:

root@danno1:/opt/bootstrap# curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net/' -H Metadata:true
{"error":"invalid_request","error_description":"Identity not found"}

我检查的2个UAI已正确链接到针对正确存储容器和密钥库的角色分配.调试时，我在包装盒上启用了SystemAssigned身份，突然我收到了令牌.我还有其他需要做的步骤吗? 为了启用"虚拟机上的身份服务?我使用azurerm_virtual_machine资源中的identity = {}部分通过Terraform启动了VM. 仅限UAI.

如果我查询计算机的身份，则会得到以下信息:

$ az vm身份显示--ids"/subscriptions/11111111111-111111111111/resourceGroups/THE-RG/providers/Microsoft.Compute/virtualMachines/danno1"
{
  " principalId":null，
  " tenantId":null，
  "type":"UserAssigned"，
  "userAssignedIdentities":{
    "/subscriptions/11111111111-111111111111/resourceGroups/ManagedServiceIdentity-Wus-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/08329dcb-3-wus-uai":{
      "clientId":"11111111111-444444444444"，
      " principalId":"11111111111-555555555555"
    }，
    "/subscriptions11111111111-111111111111/resourceGroups/ManagedServiceIdentity-Wus-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-wus-uai":{
      "clientId":"11111111111-222222222222"，
      " principalId":"11111111111-33333333333"
    }
  }
}

The 2 UAI I've checked are linked properly to role assignments against the correct storage container and key vault. While debugging, I enabled a SystemAssigned identity on the box and suddenly I was receiving tokens. Is there any other steps I need to do in order to "enable" identity services on the VM? I launched the VM with Terraform using the identity={} section in the azurerm_virtual_machine resource.. but it seems like the machine isn't registered with identity services if I launch it with the UAIs only.

If I query the identity of the machine, I get this back:

$ az vm identity show --ids "/subscriptions/11111111111-111111111111/resourceGroups/THE-RG/providers/Microsoft.Compute/virtualMachines/danno1"
{
  "principalId": null,
  "tenantId": null,
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "/subscriptions/11111111111-111111111111/resourceGroups/ManagedServiceIdentity-Wus-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/08329dcb-3-wus-uai": {
      "clientId": "11111111111-444444444444",
      "principalId": "11111111111-555555555555"
    },
    "/subscriptions11111111111-111111111111/resourceGroups/ManagedServiceIdentity-Wus-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-wus-uai": {
      "clientId": "11111111111-222222222222",
      "principalId": "11111111111-33333333333"
    }
  }
}

如果有人知道谢谢！

推荐答案

这篇关于元数据:“未找到身份"；在具有用户分配的身份的VM上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！