创建了一个 ARM 模板,通过 powershell 使用 ARM 中的部署脚本创建 AD 应用程序。
出现此错误
资源写入操作未能成功完成,因为它达到了终端配置状态“失败”
这是模板
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"cliResourceName": "AzAppRegDeploymentScript"
},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "[variables('cliResourceName')]",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/XXXXX-bXXd-4XX5-b&*e-YDTXXYYYYS/resourceGroups/sample/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mientity": {}
}
},
"properties": {
"azPowerShellVersion": "9.7",
"timeout": "PT30M",
"scriptContent": "$app = New-AzureADApplication -DisplayName 'app-d'",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
这里有什么错误? CLI 也失败了。 用户管理的身份“mientity”具有“贡献者”角色。以及本文中提到的角色https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#configure-the-minimum-permissions
AzCLI
:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"cliResourceName": "AzAppRegDeploymentScript"
},
"resources": [{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "[variables('cliResourceName')]",
"location": "[resourceGroup().location]",
"kind": "AzureCLI",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/newui": {}
}
},
"properties": {
"AzCliVersion": "2.0.80",
"timeout": "PT30M",
"scriptContent": "
appInfo = $(az ad app create--display - name $1--identifier - uris\ "$2\" --reply-urls \"$3\")
echo $appInfo
",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
输出:
使用
AzPowershell
:
解决此问题后,我通过参考@Thakur Prasad Mishra 的
博客找到了部署它的方法。 您可以在 GitHub 内容页面中创建一个脚本,并将相应的 URL 添加到 ARM 模板的 PowerShell 部署脚本的
"primaryscripturi"
属性中,如上面给出的博客中所述。
对于上述任何部署(Powershell 或 CLI),您需要向用户身份提供以下权限。
转到subscriptions -> Access control -> Add -> Add role assignment -> Privileged administrator roles -> Contributor
user identity
,在订阅级别下添加贡献者角色。
您必须转至
Roles & Administrators
Azure Active Directory
为用户身份添加“应用程序管理员”角色。
我修改了您的PowerShell部署代码
properties
块如下:
"properties": {
"azPowerShellVersion": "9.7",
"timeout": "PT30M",
"scriptContent": "
$ScriptPath = '/home/admin/script.ps1'
$Info = Get-Content -Path $ScriptPath
",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}]
}
脚本.ps1:
Install-Module -Name AzureAD -Force
Import-Module -Name AzureAD
New-AzureADApplication -DisplayName 'app-d'
输出:
注意:
我建议您使用 Azure CLI 版本为 AD 应用程序创建部署脚本。 您还可以参考@Moim Hossain 的
文章