我有一个 Azure Functions 项目,其中有一个使用服务总线绑定的函数(用于侦听订阅并发送到主题)。
Azure 函数部署在托管标识下运行。由于我们希望使用 Azure Bicep 自动部署所有内容,因此我希望在 Azure Bicep 文件中自动为该托管标识的服务总线命名空间(或实体)提供正确的角色分配。
但我似乎不知道该怎么做。有人能够指示正确的二头肌片段来在服务总线实体上为特定托管身份创建角色分配
Azure Service Bus Data ReceiverAzure Service Bus Data Sender(甚至更好:我知道我对二头肌相当陌生,我怎样才能自己找到答案)
致以诚挚的问候
可以在此处找到使用 Bicep 创建 RBAC 的文档。
可以在此处
因此,对于 ServiceBus 和托管身份,您可以创建一个看起来像这样的模块
// servicebus-role-assignment.bicep
param serviceBusName string
param principalId string
@allowed([
'4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver
'69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // Azure Service Bus Data Sender
])
param roleId string
// Get a reference to servicebus namespace
resource servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {
name: serviceBusName
}
// Grant permissions to the principalID to specific role to servicebus
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(servicebus.id, roleId, principalId)
scope: servicebus
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
principalType: 'ServicePrincipal'
}
}
如果您使用用户分配的身份,则可以在创建身份后调用此模块:
param location string = resourceGroup().location
param identityName string
param serviceBusName string
// Create the identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
name: identityName
location:location
}
// Do the role assignment
module serviceBusRoleAssignment 'servicebus-role-assignment.bicep' = {
name: 'servicebus-role-assignment'
params: {
serviceBusName: serviceBusName
roleId: '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver
principalId: identity.properties.principalId
}
}
如果您使用系统分配的身份,则需要首先创建函数应用程序:
param location string = resourceGroup().location
param functionAppName string
param serviceBusName string
...
// Create the function app
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
name: functionAppName
identity: {
type: 'SystemAssigned'
}
...
}
// Do the role assignment
module serviceBusRoleAssignment 'servicebus-role-assignment.bicep' = {
name: 'servicebus-role-assignment'
params: {
serviceBusName: serviceBusName
roleId: '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver
principalId: functionApp.identity.principalId
}
}
如果您想在服务总线主题级别(或队列级别)分配角色,可以通过使用模块和范围关键字来完成此操作。
下面的示例将 Azure 服务总线发送者角色分配给使用系统标识创建的 Web 应用程序的服务总线主题。服务总线命名空间及其子资源主题位于不同的资源组中。 Web 应用程序是通过“az 部署组”命令部署的另一个资源组。
主要.二头肌:
// Assign RBAC role to Service Bus Topic - Use modules if you want to deploy an extension resource (the role assignment is an extension resource type)
// with the scope set to a resource in a different resource group, see more here https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scope-extension-resources
module roleAssignmentModule 'Modules/roleAssignments.bicep' = {
name: 'roleAssignmentsModule' // Azure Portal Deployments Inputs and Outputs shown under RG that contains the Service Bus Names
scope: resourceGroup(differentResourceGroupName)
params: {
webAppPrincipalId: webAppPrincipalId
serviceBusName: serviceBusName
serviceBusTopicName: serviceBusTopicName
}
}
roleAssignments.bicep:
@description('The principalId of the WebApp that will be used in role assignment')
param webAppPrincipalId string
@description('Service Bus Namespace that contains the Service Bus Topic where RBAC role will be assigned to')
param serviceBusName string
@description('Service Bus Topic name where RBAC role will be assigned to')
param serviceBusTopicName string
@description('This is the built-in Azure Service Bus Data Sender role. See https://learn.microsoft.com/en-gb/azure/role-based-access-control/built-in-roles#azure-service-bus-data-sender')
resource azureServiceBusDataSenderRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
scope: subscription()
name: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // 'Azure Service Bus Data Sender' Azure built-in role
}
// Reference to an existing Service Bus Namespace resource
resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = {
name: serviceBusName
}
// Get a reference to an existing Service Bus Topic
resource serviceBusTopic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' existing = {
name: serviceBusTopicName
parent: serviceBusNamespace
}
// Assign RBAC role 'Azure Service Bus Data Sender' to the Service Bus Topic
resource roleAssignment_AzureServiceBusDataSender 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(subscription().id, webAppPrincipalId, serviceBusTopic.id, azureServiceBusDataSenderRoleDefinition.id)
scope: serviceBusTopic // Role is assigned at the Topic level. If scope property is omitted, then role is assigned at the Service Bus Namespace level and inherited to all child Topics. We don't want that
properties: {
principalId: webAppPrincipalId
roleDefinitionId: azureServiceBusDataSenderRoleDefinition.id
principalType: 'ServicePrincipal'
}
}