Json 使用ARM将Azure RBAC应用于资源
有没有办法通过ARM在资源级别应用RBAC规则?我能够在资源组级别添加用户/角色,但不能在资源组级别添加。特别是,我正试图通过ARM向AppInsights添加一个新的读者角色。但是,当我调整范围时,模板会失败,出现以下错误:Json 使用ARM将Azure RBAC应用于资源,json,azure,rbac,arm-template,Json,Azure,Rbac,Arm Template,有没有办法通过ARM在资源级别应用RBAC规则?我能够在资源组级别添加用户/角色,但不能在资源组级别添加。特别是,我正试图通过ARM向AppInsights添加一个新的读者角色。但是,当我调整范围时,模板会失败,出现以下错误: "error": { "code": "InvalidCreateRoleAssignmentRequest", "message": "The request to create
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '{guid}' is not valid. Role assignment scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}' must match the scope specified on the URI '/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}'."
}
提前谢谢 可以使用ARM在资源级别应用RBAC 您提到的示例演示了如何在特定资源组上应用RBAC,其中作用域是资源组的路径 在这里,您试图将角色分配给特定的资源。将范围从资源组更改为资源(AppInsights)将起作用 从异常中,我可以看到资源的路径可能不是预期的格式 AppInsights的路径应采用以下格式:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}
希望这样的范围框架能有所帮助 您可以通过ARM在资源级别应用RBAC规则,这里有一个在Azure VM上应用RBAC规则的示例模板:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "Principal ID associated with the subscription ID"
}
},
"virtualMachineName": {
"type": "string",
"metadata": {
"description": "Name of the virtual machine"
}
},
"builtInRoleType": {
"type": "string",
"metadata": {
"description": "Built In Role Type for the Virtual Machine"
},
"allowedValues": [
"Owner",
"Contributor",
"Reader",
"Virtual Machine Contributor"
]
},
"guid": {
"type": "string",
"metadata": {
"description": "A new GUID used to identify the role"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]",
"resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[variables('resourceName')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
希望这能对您有所帮助。关键是删除
scopeMicrosoft.foorsource/BarSubType/providers/roleasignments{resourceName}/Microsoft.Authorization将角色分配嵌套在所需资源下/{uniquerolesignmentguid}GUID(subscription().subscriptionId,“如果愿意,可以使用某些子标识符”){
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": { "type": "string" },
"userAssignedIdentityName": { "type": "string" }
},
"variables": {
"ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('userAssignedIdentityName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2018-11-30"
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2016-12-01",
"sku": { "name": "Standard_LRS" },
"kind": "Storage",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
"properties": {
"roleDefinitionId": "[variables('ContributorRoleDefinition')]",
"principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
]
}
]
}
]
}
来源:微软终于提供了文档来解释这一点:
我同意关于这个问题的文档没有什么用处。我有一个角色ID数组,我想在App Insight资源中作为所有者添加,而不想让用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想迭代对象数组来动态创建ro因此,在调整了类型、名称和范围属性之后,以下资源块最终对我有效:
{
"comments": "Add the Application Insights resource",
"apiVersion": "2014-04-01",
"name": "[variables('appInsightsName')]",
"type": "Microsoft.Insights/components",
"location": "[resourceGroup().location]",
"properties": {
"ApplicationId": "[variables('appInsightsName')]"
}
},
{
"comments": "Add the IAM roles to the App Insights resource",
"condition": "[parameters('isProduction')]",
"type": "Microsoft.Insights/components/providers/roleAssignments",
"name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
"apiVersion": "2017-05-01",
"location": "[resourceGroup().location]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
"principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
"scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
},
"copy": {
"name": "appInsightsRoleAssignments",
"count": "[length(parameters('roleAssignments'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
]
}
当您说“AppInsights的路径”时,我假设您的意思是我需要修改我的作用域设置。我按照您的建议将“/providers”添加到我的作用域中,并收到以下内容(与我最初得到的内容类似):
创建角色分配“{guid}”的请求无效。角色分配作用域“/subscriptions”/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}必须与URI'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}上指定的范围匹配“类型”:“microsoft.insights/components/providers/roleAssignments”{“类型”:“microsoft.insights/components/providers/roleAssignments”,“apiVersion”:“2017-05-01”,“名称”:“[subscription().subscriptionId]”,“属性”:{“roleDefinitionId”:“[variables('MonitoringReaderAzureSecurityGroup')]”,“principalId”:“[variables('AppInsightsReadOnlyPrincipalId')]”,dependsOn:[“[resourceId('Microsoft.Insights/components/',parameters('websiteName'))]”