一個人如何從一個潤色簿訪問不同的訂閱

Question

目前，我有兩個訂閱：S01和S02。我有一個在S02中運行的需要訪問S01資源的Runbook。

當我運行命令Get-AzureRmSubscription -SubscriptionName S01時，它甚至無法找到訂閱。下面是代碼和輸出的例子：

$connectionName = "AzureRunAsConnection" 
try 
{ 
    # Get the connection "AzureRunAsConnection " 
    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName   

    Write-Output "Logging in to Azure..." 
    $Account = Add-AzureRmAccount ` 
     -ServicePrincipal ` 
     -TenantId $servicePrincipalConnection.TenantId ` 
     -ApplicationId $servicePrincipalConnection.ApplicationId ` 
     -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint ` 
     -Verbose ` 
     -ErrorAction Stop 

    Write-Output "***** LOGGED IN ($((Get-AzureRmContext).Subscription.SubscriptionName)). *******" 
} 
catch { 
    if (!$servicePrincipalConnection) 
    { 
     $ErrorMessage = "Connection $connectionName not found." 
     throw $ErrorMessage 
    } 
    else 
    { 
     Write-Error -Message $_.Exception 
     throw $_.Exception 
    } 
} 

Write-Output "Current subscription using Get-AzureRmSubscription:" 
Get-AzureRmSubscription 
Write-Output "===============================================================" 

Write-Output "Switch subscription using Select-AzureRmSubscription:" 
Get-AzureRmSubscription -SubscriptionName "S01" | Select-AzureRmSubscription 
Write-Output "===============================================================" 

Write-Output "Switch subscription using Set-AzureRmContext:" 
Set-AzureRmContext -SubscriptionName "S01" 
Write-Output "===============================================================" 

輸出：

Logging in to Azure... 

VERBOSE: Performing the operation "log in" on target "ServicePrincipal account in environment 'AzureCloud'". 

***** LOGGED IN (S02). ******* 

Current subscription using Get-AzureRmSubscription: 

WARNING: Unable to acquire token for tenant 'Common' 

SubscriptionId   : 2f301a20-22a3-b321-2a3c-829ac3d4e39a 
SubscriptionName   : S02 
State      : Enabled 
TenantId     : e2g374a3-8732-3466-9876-a7cd32b208de 
CurrentStorageAccountName : 

=============================================================== 

Switch subscription using Select-AzureRmSubscription: 

WARNING: Unable to acquire token for tenant 'Common' 

ERROR: Get-AzureRmSubscription : Subscription S01 was not found in tenant . Please verify that the subscription 
exists in this tenant. 
At line:37 char:2 
+ Get-AzureRmSubscription -SubscriptionName "S01" | Sele ... 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    + CategoryInfo   : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException 
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand 


=============================================================== 

Switch subscription using Set-AzureRmContext: 

ERROR: Set-AzureRmContext : Provided subscription S01 does not exist 
At line:41 char:2 
+ Set-AzureRmContext -SubscriptionName "S01" 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    + CategoryInfo   : CloseError: (:) [Set-AzureRmContext], ArgumentException 
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand 


=============================================================== 

我想這一切都是圍繞着AzureRunAsConnection和AzureRunAsCertificate並使用ServicePrincipal。我的猜測是，我需要使用S01的AzureRunAsConnect登錄，我假設我需要將證書從S01中取出並存入S02，但我沒有太多的運氣將S01中的RunAsCertificate導出並導入到S02中。

我試着創建自己的AD應用程序，但我似乎無法得到那個工作。

我相信它必須是可能的，但是怎麼樣？我關閉了，什麼是正確的方法？

P.S.兩份訂閱都「共享」相同的Azure AD。

TIA

Answer 1

您無法將一次分配的證書導出到服務主管。所以，你有兩個選擇：

1. 創建一個證書的新服務主體和使用相同的證書兩種訂閱
2. 如果您有現有的服務主體的證書的副本，然後用它來驗證你的第二個天青訂閱。

無論哪種方法你選擇，你應該看看這裏一步創建服務主體，證書等：https://docs.microsoft.com/en-us/azure/automation/automation-sec-configure-azure-runas-account#update-an-automation-account-using-powershell