所以,我正在尝试使用ARM模板执行以下操作:
my-managed-identity
中创建新的用户分配的受管理身份(my-rg
)my-managed-identity
分配Reader
角色my-rg
Managed Identity Operator
分配给my-aks-sp
中的AKS服务主体(my-managed-id
)这是我的ARM模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"aksServicePrincipalObjectId": {
"type": "string",
"metadata": {
"description": "The Object Id for the AKS Cluster Service Principal"
}
},
},
"variables": {
"managedIdentityName": "my-managed-identity",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
"name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
"apiVersion": "2018-09-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('managedIdOperatorRole')]",
"principalId": "[parameters('aksServicePrincipalObjectId')]"
}
}
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(variables('managedIdentityName'))]",
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('readerRole')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]"
}
}
]
}
奇怪的是,有时这种部署不起作用。我经常会收到错误消息:
New-AzResourceGroupDeployment : 2:56:07 PM - Resource Microsoft.Authorization/roleAssignments 'd62bb9a1-bf0b-5a92-aca1-74beab087ee9' failed with message '{
"error": {
"code": "PrincipalNotFound",
"message": "Principal fad453d06bd042148411606b74525ed2 does not exist in the directory 936529098-bafa-4c91-b54f-f012cc11eeec."
}
}
我在这里想念什么吗?
此documentation from Microsoft解决了我的问题。
这是我完整的模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"aksServicePrincipalObjectId": {
"type": "string",
"metadata": {
"description": "The Object Id for the AKS Cluster Service Principal"
}
},
},
"variables": {
"managedIdentityName": "my-managed-identity",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
"name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
"apiVersion": "2018-09-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('managedIdOperatorRole')]",
"principalId": "[parameters('aksServicePrincipalObjectId')]",
"principalType": "ServicePrincipal" // This solved my issue
}
}
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(variables('managedIdentityName'))]",
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('readerRole')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]",
"scope": "[resourceGroup().id]" //This is what I added to get it to work!
}
}
]
}