实施重试逻辑后显示角色分配已存在错误

Question

我正在尝试在设置系统分配的托管标识后将角色分配给网络应用程序。问题是，如果您在设置托管标识之后分配角色，则会抛出错误。

2019-04-04T07:57:12.9852397Z ##[error]Principal 438350e59xxxxxxxxxx935e5c135 does not exist in the directory ***.

因此，我添加了重试代码来尝试分配角色，直到主体可用。

$webappname = "devt002"
$resourcegroup = "devt002RG"
$roleDefinitionName = "Storage Blob Data Contributor"

#Set the system assigned managed identity
Set-AzureRmWebApp -AssignIdentity $true -ResourceGroupName "$resourcegroup" -Name "$webappname"

#Get webapp object id
$webapp = Get-AzureRmWebApp -ResourceGroupName "$resourcegroup" -Name "$webappname"
$objectid = [System.Guid]::Parse($webapp.Identity.PrincipalId)
write-host "Object ID :" $objectid

#Get resource id (Scope) for storage account
$webapp2 = Get-AzureRmResource -ResourceGroupName "$resourcegroup" -Name "$webappname" -ResourceType "Microsoft.Storage/storageAccounts"
$resid = $webapp2.ResourceId.ToString()
write-host "Resource ID :" $resid

#Get Assign role if already exist
$roles = Get-AzureRmRoleAssignment -ObjectId "$objectid"
write-host "Already Assigned Roles :" $roles.RoleDefinitionName

if($roles.RoleDefinitionName -Match "Storage Blob Data Contributor")
{
    Write-Host "Storage Blob Data Contributor role already exist !!!"
}
else
{
    #Assign role to web app (Object id)
    $retryCount = 5
    $totalRetries = $retryCount
    While ($True) 
    {
        Try 
        {
            $Null = New-AzureRmRoleAssignment -ObjectId $objectid -RoleDefinitionName "$roleDefinitionName" -Scope "$resid"
            Write-Host "Storage Blob Data Contributor role assign successfully !!!"
            Return
        }
        Catch 
        {
            # The principal could not be found. Maybe it was just created.
            If ($retryCount -eq 0) 
            {
                Write-Error "An error occurred: $($_.Exception)`n$($_.ScriptStackTrace)"
                throw "The principal '$objectId' cannot be granted '$roleDefinitionName' role on the web app '$webappname'. Please make sure the principal exists and try again later."
            }
            $retryCount--
            Write-Warning "  The principal '$objectId' cannot be granted '$roleDefinitionName' role on the web app '$webappname'. Trying again (attempt $($totalRetries - $retryCount)/$totalRetries)"
            Start-Sleep 10
        }
    }

}

但这次发生了以下错误。奇怪的是角色被分配给网络应用程序。

2019-04-04T10:00:58.8423494Z Object ID : 31d52967-xxxx-xxxx-xxxx-b3944da09ab2
2019-04-04T10:01:02.6524758Z Resource ID : /subscriptions/4364666b-xxxx-xxxx-xxxx-47158904c439/resourceGroups/devt002RG/providers/Microsoft.Storage/storageAccounts/devt002
2019-04-04T10:01:04.2157521Z Already Assigned Roles : 
2019-04-04T10:01:14.1407666Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 1/5)
2019-04-04T10:01:14.1417125Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 1/5)
2019-04-04T10:01:25.7075458Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 2/5)
2019-04-04T10:01:25.7076201Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 2/5)
2019-04-04T10:01:37.5640393Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 3/5)
2019-04-04T10:01:37.5640997Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 3/5)
2019-04-04T10:01:50.5967259Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 4/5)
2019-04-04T10:01:50.5967755Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 4/5)
2019-04-04T10:02:02.7386688Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 5/5)
2019-04-04T10:02:02.7387138Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 5/5)
2019-04-04T10:02:16.4259863Z ##[error]An error occurred: Microsoft.Rest.Azure.CloudException: The role assignment already exists.

Answer 1

它试图告诉您什么 - 等效的角色分配以不同的名称存在，并且您不能以不同的名称两次进行相同的分配。

所以我想问题是，为什么需要以不同的名称分配相同的权限两次