Neg*_*tar 7 json rbac azure azure-rm-template
有没有办法通过ARM在资源级别应用RBAC规则?我能够按照此Microsoft指南在资源组级别而不是资源上添加用户/角色。特别是,我试图通过ARM向AppInsights添加新的读者角色。但是,当我调整范围时,模板只会因以下错误而失败:
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '{guid}' is not valid. Role assignment scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}' must match the scope specified on the URI '/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}'."
}
我不知道范围变量是什么,如果不能更改。我应该在其他地方修改范围以使此工作正常吗?
提前致谢!
关键是删除该scope属性,而是使用Microsoft.FooResource/BarSubType/providers/roleAssignmentsas 类型将角色分配嵌套在所需资源下,并使用以下名称格式:{resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}. 请注意,GUID 应该是稳定的,但对于此角色分配是唯一的,一个简单的选项是guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish').
这是一个模板,向您展示如何使用在同一模板中定义的用户分配的托管标识将 RBAC 应用于单个资源:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": { "type": "string" },
"userAssignedIdentityName": { "type": "string" }
},
"variables": {
"ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('userAssignedIdentityName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2018-11-30"
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2016-12-01",
"sku": { "name": "Standard_LRS" },
"kind": "Storage",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
"properties": {
"roleDefinitionId": "[variables('ContributorRoleDefinition')]",
"principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
]
}
]
}
]
}
来源:https : //www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/
小智 0
可以使用 ARM 在资源级别应用 RBAC。
您引用的示例显示了如何在特定资源组上应用 RBAC,其中范围是资源组的路径。
在这里,您尝试将角色分配给特定资源。将范围从资源组更改为资源 (AppInsights) 将起作用。
从异常中,我可以看到资源的路径可能不是预期的格式。
AppInsights 的路径应采用以下格式:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}
希望这样的范围框架能有所帮助!
| 归档时间: |
|
| 查看次数: |
868 次 |
| 最近记录: |