我正在尝试使用PowerShell在cosmos数据库中添加虚拟网络规则。 VNETS存在于不同的租户中。我对存储帐户也做了同样的工作,效果很好。我收到以下错误。有人可以给我一些有关我要去哪里的指示吗?是否可以在cosmos db数据库中执行此操作?
Set-AzureRmResource:LinkedAuthorizationFailed:客户端有权在范围上执行操作'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action''/ Cosmos DB / resourceGroups / nbspreprd3 / providers / Microsoft.DocumentDb / databaseAccounts / nbspreprd3-config-document-db的/ subscriptions / Subscription ID,但是当前租户''是无权访问链接的订阅”。在线:8字符:5+ Set-AzureRmResource -ResourceType $ ResourceType -ResourceGroupNam ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~+ CategoryInfo:CloseError :( :) [Set-AzureRmResource],ErrorResponseMessageException+ FullyQualifiedErrorId:LinkedAuthorizationFailed,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResourceCmdlet
这是PowerShell脚本
$ResourceGroupName = "*******"
$accountname = "*******"
$ResourceType = "Microsoft.DocumentDb/databaseAccounts"
$cosmosAccount = Get-AzureRMResource -ResourceType $ResourceType -ResourceGroupName $resourceGroupName -Name $accountName
$VnrID1 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-2-subnet"
$VnrID2 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-3-subnet"
$VnrID3 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/=build1-subnet"
function setCosmosRule {
Param($ResourceGroupName, $accountname, $ResourceType, $cosmosAccount, $VnrID1)
$vnetrules = $cosmosAccount.Properties.virtualNetworkRules
$existsCosmos =($cosmosAccount.Properties.virtualNetworkRules | Where-Object {$_.id -eq $VnrID1} | Measure-Object).Count -ne 0
if(-not($existsCosmos)){
$ourObject = New-Object -TypeName psobject
$ourObject | Add-Member -MemberType NoteProperty -Name id -Value $VnrID1
$ourObject | Add-Member -MemberType NoteProperty -Name ignoreMissingVNetServiceEndpoint -Value True
$newVnetRules = $vnetrules, $ourObject
$cosmosAccount.Properties.virtualNetworkRules = $newVnetRules
$CosmosDBProperties = $cosmosAccount.Properties
Set-AzureRmResource -ResourceType $ResourceType -ResourceGroupName $ResourceGroupName -ResourceName $accountname -Properties $cosmosDBProperties -Force
}
}
非常感谢任何指针和技巧
谢谢
我们通过在外部订阅上授予部署服务主体Network Contributor解决了类似的问题。
我们在部署具有Key Vault,Service Bus,Storage Account和Cosmos DB Account的复合ARM模板时,在几乎相同的场景中遇到相同的错误。前三个已成功部署,并且防火墙已从单独的订阅中使用预期的VNet /子网设置,并与部署目标订阅VNet对等。外部订阅中带有RBAC的所有内容都很好。深入了解服务端点的Microsoft文档,使我了解以下内容:
“将VNet服务终结点添加到Azure Cosmos帐户后,要对帐户设置进行任何更改,您需要访问所有VNET的Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action操作在您的Azure Cosmos帐户上配置。此权限是必需的,因为授权过程会在评估任何属性之前先验证对资源(例如数据库和虚拟网络资源)的访问。“
我们确实没有必要为Cosmos DB帐户添加显式权限,特别是因为其他资源类型都很好。一旦添加了其他访问策略,便成功部署了Cosmos DB帐户。