Azure devops 如何使用ARM模板在AppInsight Access control中添加角色
我正在尝试使用ARM模板在AppInsight访问控制中添加角色分配。 我可以使用ARM模板创建AppInsight,但无法在App Insight Access control中添加角色分配。下面是我使用ARM模板创建AppInsight的代码Azure devops 如何使用ARM模板在AppInsight Access control中添加角色,azure-devops,azure-application-insights,azure-resource-manager,Azure Devops,Azure Application Insights,Azure Resource Manager,我正在尝试使用ARM模板在AppInsight访问控制中添加角色分配。 我可以使用ARM模板创建AppInsight,但无法在App Insight Access control中添加角色分配。下面是我使用ARM模板创建AppInsight的代码 "resources": [ { "type": "Microsoft.Insights/components", "kind": "web", "name": "[parameters('com
"resources": [
{
"type": "Microsoft.Insights/components",
"kind": "web",
"name": "[parameters('components_AppInsightPoc_name')]",
"apiVersion": "2015-05-01",
"location": "westus2",
"scale": null,
"properties": {
"Application_Type": "web",
"Flow_Type": "Redfield",
"Request_Source": "IbizaAIExtension",
"HockeyAppId": null,
"SamplingPercentage": null
}
}
]
您可以使用此代码段将RBAC角色添加到资源:
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('components_AppInsightPoc_name'), '/Microsoft.Authorization/', guid('something'))]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', 'role_guid')]",
"principalId": "user_guid",
"scope": "[resourceId('Microsoft.Insights/components', parameters('components_AppInsightPoc_name'))"
}
}
您可以使用powershell获取角色GUID:
Get-AzRoleDefinition
您可以使用此代码段将RBAC角色添加到资源:
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('components_AppInsightPoc_name'), '/Microsoft.Authorization/', guid('something'))]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', 'role_guid')]",
"principalId": "user_guid",
"scope": "[resourceId('Microsoft.Insights/components', parameters('components_AppInsightPoc_name'))"
}
}
您可以使用powershell获取角色GUID:
Get-AzRoleDefinition
能够使用以下代码添加RBAC for App Insights
"resources": [
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
能够使用以下代码添加RBAC for App Insights
"resources": [
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
我发布了关于这个问题的答案: 我有一个角色ID数组,我想将其添加为App Insight资源的所有者,而不想让用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想迭代对象数组来动态创建角色,所以在调整类型、名称和范围属性后,以下资源块最终对我有效:
{
"comments": "Add the Application Insights resource",
"apiVersion": "2014-04-01",
"name": "[variables('appInsightsName')]",
"type": "Microsoft.Insights/components",
"location": "[resourceGroup().location]",
"properties": {
"ApplicationId": "[variables('appInsightsName')]"
}
},
{
"comments": "Add the IAM roles to the App Insights resource",
"condition": "[parameters('isProduction')]",
"type": "Microsoft.Insights/components/providers/roleAssignments",
"name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
"apiVersion": "2017-05-01",
"location": "[resourceGroup().location]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
"principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
"scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
},
"copy": {
"name": "appInsightsRoleAssignments",
"count": "[length(parameters('roleAssignments'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
]
}
请密切关注Microsoft.Insights/components/providers/roleAssignments资源的类型、名称和范围属性中的部分。我发布了关于这个问题的答案: 我有一个角色ID数组,我想将其添加为App Insight资源的所有者,而不想让用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想迭代对象数组来动态创建角色,所以在调整类型、名称和范围属性后,以下资源块最终对我有效:
{
"comments": "Add the Application Insights resource",
"apiVersion": "2014-04-01",
"name": "[variables('appInsightsName')]",
"type": "Microsoft.Insights/components",
"location": "[resourceGroup().location]",
"properties": {
"ApplicationId": "[variables('appInsightsName')]"
}
},
{
"comments": "Add the IAM roles to the App Insights resource",
"condition": "[parameters('isProduction')]",
"type": "Microsoft.Insights/components/providers/roleAssignments",
"name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
"apiVersion": "2017-05-01",
"location": "[resourceGroup().location]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
"principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
"scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
},
"copy": {
"name": "appInsightsRoleAssignments",
"count": "[length(parameters('roleAssignments'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
]
}
请密切注意Microsoft.Insights/components/providers/roleAssignments资源的类型、名称和范围属性中的分段。您到底想做什么?我想使用ARM模板在app insight access control中添加角色定义“角色”?RBAC角色?是的,我想使用ARM模板添加角色请参见:,这是资源组作用域,只需更改AppInsight的作用域您到底想做什么?我想使用ARM模板在app insight access control中添加角色定义“角色”?RBAC角色?是的,我想使用ARM模板添加角色请参见:,这是资源组范围,只需更改appinsightHi的范围,感谢您的输入,您能告诉我guid('something')中的预期值吗,如果您想生成一个新的guidCan,我们只需将其命名为AppInsight名称,那么它只需要是唯一的?我收到以下错误“模板资源的授权失败”DevpsTestAppInsight/Microsoft.Authorization/caa36d20-9bcc-5e25-abbc-5a33af20ad40,类型为“Microsoft.Insights/components/providers/roleAssignments”。对象id为“c75534ba-5ced-447d-affe-247dc70c063f”的客户端“c75534ba-5ced-447d-affe-247dc70c063f”无权在作用域执行操作“Microsoft.Authorization/roleAssignments/write”“/subscriptions/0000000000/resourceGroups/TestRgDevops/providers/Microsoft.Insights/components/devopstatappinsight/providers/Microsoft.Authorization/roleasignments我传递了以下值guid('something'):在something中,我传递了AppInsight名称本身的“role\u guid”:我传递了阅读器角色的guid(acdd72a7-3385-48ef-bd42-f606fba81ae7)用户_guid:我在这里有我的aad应用程序的主体Id。如果我在这里做了什么错误,请告诉我。嗨,感谢您的输入,您能告诉我guid中的预期值(“某物”)吗任何情况下,如果您想生成一个新的guidCan,我们只需将其命名为AppInsight名称,它只需要是唯一的?我收到以下错误“模板资源的授权失败”devopStatAppInsight/Microsoft.Authorization/caa36d20-9bcc-5e25-abbc-5a33af20ad40,类型为“Microsoft.Insights/components/providers/roleAssignments”。客户端对象id为“c75534ba-5ced-447d-affe-247dc70c063f”的“c75534ba-5ced-447d-affe-247dc70c063f”没有权限执行操作“Microsoft.Authorization/roleAssignments/write'at scope'/subscriptions/0000000000/resourceGroups/TestRgDevops/providers/Microsoft.Insights/components/DevPStStatAppSight/providers/Microsoft.Authorization/roleAs”signmentsI已传递以下值guid('something'):在something中,我传递了AppInsight名称本身的“角色\u guid”:我已传递了读卡器角色的guid(acdd72a7-3385-48ef-bd42-f606fba81ae7)用户\u guid:我在这里有我的aad应用程序的主体Id。如果我在这里做错了什么,请告诉我