Fatal编程技术网
  • azure-devops/
  • Azure devops 如何使用ARM模板在AppInsight Access control中添加角色

Azure devops 如何使用ARM模板在AppInsight Access control中添加角色

azure-devops

Azure devops 如何使用ARM模板在AppInsight Access control中添加角色,azure-devops,azure-application-insights,azure-resource-manager,Azure Devops,Azure Application Insights,Azure Resource Manager,我正在尝试使用ARM模板在AppInsight访问控制中添加角色分配。 我可以使用ARM模板创建AppInsight,但无法在App Insight Access control中添加角色分配。下面是我使用ARM模板创建AppInsight的代码 "resources": [ { "type": "Microsoft.Insights/components", "kind": "web", "name": "[parameters('com

我正在尝试使用ARM模板在AppInsight访问控制中添加角色分配。 我可以使用ARM模板创建AppInsight,但无法在App Insight Access control中添加角色分配。下面是我使用ARM模板创建AppInsight的代码

"resources": [
    {
        "type": "Microsoft.Insights/components",
        "kind": "web",
        "name": "[parameters('components_AppInsightPoc_name')]",
        "apiVersion": "2015-05-01",
        "location": "westus2",
        "scale": null,
        "properties": {
            "Application_Type": "web",
            "Flow_Type": "Redfield",
            "Request_Source": "IbizaAIExtension",
            "HockeyAppId": null,
            "SamplingPercentage": null
        }
    }
]
您可以使用此代码段将RBAC角色添加到资源:

{
    "type": "Microsoft.Insights/components/providers/roleAssignments",
    "apiVersion": "2017-05-01",
    "name": "[concat(parameters('components_AppInsightPoc_name'), '/Microsoft.Authorization/', guid('something'))]",
    "properties": {
        "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', 'role_guid')]",
        "principalId": "user_guid",
        "scope": "[resourceId('Microsoft.Insights/components', parameters('components_AppInsightPoc_name'))"
    }
}
您可以使用powershell获取角色GUID:

Get-AzRoleDefinition
您可以使用此代码段将RBAC角色添加到资源:

{
    "type": "Microsoft.Insights/components/providers/roleAssignments",
    "apiVersion": "2017-05-01",
    "name": "[concat(parameters('components_AppInsightPoc_name'), '/Microsoft.Authorization/', guid('something'))]",
    "properties": {
        "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', 'role_guid')]",
        "principalId": "user_guid",
        "scope": "[resourceId('Microsoft.Insights/components', parameters('components_AppInsightPoc_name'))"
    }
}
您可以使用powershell获取角色GUID:

Get-AzRoleDefinition
能够使用以下代码添加RBAC for App Insights

  "resources": [
    {
      "type": "Microsoft.Insights/components/providers/roleAssignments",
      "apiVersion": "2017-05-01",
      "name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }
  ]
能够使用以下代码添加RBAC for App Insights

  "resources": [
    {
      "type": "Microsoft.Insights/components/providers/roleAssignments",
      "apiVersion": "2017-05-01",
      "name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }
  ]
我发布了关于这个问题的答案:

我有一个角色ID数组,我想将其添加为App Insight资源的所有者,而不想让用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想迭代对象数组来动态创建角色,所以在调整类型、名称和范围属性后,以下资源块最终对我有效:

    {
      "comments": "Add the Application Insights resource",
      "apiVersion": "2014-04-01",
      "name": "[variables('appInsightsName')]",
      "type": "Microsoft.Insights/components",
      "location": "[resourceGroup().location]",
      "properties": {
        "ApplicationId": "[variables('appInsightsName')]"
      }
    },
    {
      "comments": "Add the IAM roles to the App Insights resource",
      "condition": "[parameters('isProduction')]",
      "type": "Microsoft.Insights/components/providers/roleAssignments",
      "name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
      "apiVersion": "2017-05-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
        "principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
        "scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      },
      "copy": {
        "name": "appInsightsRoleAssignments",
        "count": "[length(parameters('roleAssignments'))]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      ]
    }
请密切关注Microsoft.Insights/components/providers/roleAssignments资源的类型、名称和范围属性中的部分。

我发布了关于这个问题的答案:

我有一个角色ID数组,我想将其添加为App Insight资源的所有者,而不想让用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想迭代对象数组来动态创建角色,所以在调整类型、名称和范围属性后,以下资源块最终对我有效:

    {
      "comments": "Add the Application Insights resource",
      "apiVersion": "2014-04-01",
      "name": "[variables('appInsightsName')]",
      "type": "Microsoft.Insights/components",
      "location": "[resourceGroup().location]",
      "properties": {
        "ApplicationId": "[variables('appInsightsName')]"
      }
    },
    {
      "comments": "Add the IAM roles to the App Insights resource",
      "condition": "[parameters('isProduction')]",
      "type": "Microsoft.Insights/components/providers/roleAssignments",
      "name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
      "apiVersion": "2017-05-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
        "principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
        "scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      },
      "copy": {
        "name": "appInsightsRoleAssignments",
        "count": "[length(parameters('roleAssignments'))]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      ]
    }
请密切注意Microsoft.Insights/components/providers/roleAssignments资源的类型、名称和范围属性中的分段。

您到底想做什么?我想使用ARM模板在app insight access control中添加角色定义“角色”?RBAC角色?是的,我想使用ARM模板添加角色请参见:,这是资源组作用域,只需更改AppInsight的作用域您到底想做什么?我想使用ARM模板在app insight access control中添加角色定义“角色”?RBAC角色?是的,我想使用ARM模板添加角色请参见:,这是资源组范围,只需更改appinsightHi的范围,感谢您的输入,您能告诉我guid('something')中的预期值吗,如果您想生成一个新的guidCan,我们只需将其命名为AppInsight名称,那么它只需要是唯一的?我收到以下错误“模板资源的授权失败”DevpsTestAppInsight/Microsoft.Authorization/caa36d20-9bcc-5e25-abbc-5a33af20ad40,类型为“Microsoft.Insights/components/providers/roleAssignments”。对象id为“c75534ba-5ced-447d-affe-247dc70c063f”的客户端“c75534ba-5ced-447d-affe-247dc70c063f”无权在作用域执行操作“Microsoft.Authorization/roleAssignments/write”“/subscriptions/0000000000/resourceGroups/TestRgDevops/providers/Microsoft.Insights/components/devopstatappinsight/providers/Microsoft.Authorization/roleasignments我传递了以下值guid('something'):在something中,我传递了AppInsight名称本身的“role\u guid”:我传递了阅读器角色的guid(acdd72a7-3385-48ef-bd42-f606fba81ae7)用户_guid:我在这里有我的aad应用程序的主体Id。如果我在这里做了什么错误,请告诉我。嗨,感谢您的输入,您能告诉我guid中的预期值(“某物”)吗任何情况下,如果您想生成一个新的guidCan,我们只需将其命名为AppInsight名称,它只需要是唯一的?我收到以下错误“模板资源的授权失败”devopStatAppInsight/Microsoft.Authorization/caa36d20-9bcc-5e25-abbc-5a33af20ad40,类型为“Microsoft.Insights/components/providers/roleAssignments”。客户端对象id为“c75534ba-5ced-447d-affe-247dc70c063f”的“c75534ba-5ced-447d-affe-247dc70c063f”没有权限执行操作“Microsoft.Authorization/roleAssignments/write'at scope'/subscriptions/0000000000/resourceGroups/TestRgDevops/providers/Microsoft.Insights/components/DevPStStatAppSight/providers/Microsoft.Authorization/roleAs”signmentsI已传递以下值guid('something'):在something中,我传递了AppInsight名称本身的“角色\u guid”:我已传递了读卡器角色的guid(acdd72a7-3385-48ef-bd42-f606fba81ae7)用户\u guid:我在这里有我的aad应用程序的主体Id。如果我在这里做错了什么,请告诉我