【发布时间】:2020-03-13 15:14:36
【问题描述】:
我正在尝试使用 PowerShell 在 cosmos db 中添加虚拟网络规则。 VNETS 存在于不同的租户中。我为存储帐户做了同样的事情,它工作得很好。我收到以下错误。有人可以给我一些关于我哪里出错的指示吗?是否可以在 cosmos db 数据库中执行此操作?
Set-AzureRmResource : LinkedAuthorizationFailed : 客户端有权对范围执行操作“Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action”
'/subscriptions/Cosmos DB/resourceGroups/nbspreprd3/providers/Microsoft.DocumentDb/databaseAccounts/nbspreprd3-config-document-db 的订阅 ID',但是当前租户 '' 是
无权访问链接订阅“”。
在行:8 字符:5
+ 设置-AzureRmResource -ResourceType $ResourceType -ResourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmResource], ErrorResponseMessageException
+ FullyQualifiedErrorId : LinkedAuthorizationFailed,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResourceCmdlet
这是 PowerShell 脚本
$ResourceGroupName = "*******"
$accountname = "*******"
$ResourceType = "Microsoft.DocumentDb/databaseAccounts"
$cosmosAccount = Get-AzureRMResource -ResourceType $ResourceType -ResourceGroupName $resourceGroupName -Name $accountName
$VnrID1 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-2-subnet"
$VnrID2 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-3-subnet"
$VnrID3 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/=build1-subnet"
function setCosmosRule {
Param($ResourceGroupName, $accountname, $ResourceType, $cosmosAccount, $VnrID1)
$vnetrules = $cosmosAccount.Properties.virtualNetworkRules
$existsCosmos =($cosmosAccount.Properties.virtualNetworkRules | Where-Object {$_.id -eq $VnrID1} | Measure-Object).Count -ne 0
if(-not($existsCosmos)){
$ourObject = New-Object -TypeName psobject
$ourObject | Add-Member -MemberType NoteProperty -Name id -Value $VnrID1
$ourObject | Add-Member -MemberType NoteProperty -Name ignoreMissingVNetServiceEndpoint -Value True
$newVnetRules = $vnetrules, $ourObject
$cosmosAccount.Properties.virtualNetworkRules = $newVnetRules
$CosmosDBProperties = $cosmosAccount.Properties
Set-AzureRmResource -ResourceType $ResourceType -ResourceGroupName $ResourceGroupName -ResourceName $accountname -Properties $cosmosDBProperties -Force
}
}
非常感谢任何指针和提示
谢谢你
【问题讨论】:
-
如果他们在不同的租户中,那么他们不是必须首先通过来自两个订阅的子网进行对等互连吗?
-
您的 cosmos db 和 Vnet 资源是否在不同的租户和订阅中?
-
感谢@MarkBrown - 我已经同时查看了两个子网,但仍然遇到相同的错误
-
@JimXu 是的,cosmosdb 在一个租户中,而 vnet 资源在另一个租户中。我认为进行跨租户对等互连会使其工作,但也没有工作。
-
@TaherKhan 请问您是否有权限访问不同的租户?
标签: azure powershell azure-cosmosdb firewall rules