有时,使用用户分配的托管身份时,ARM模板将引发PrincipalNotFound错误

问题描述 投票:0回答:1

所以,我正在尝试使用ARM模板执行以下操作:

  1. 在资源组my-managed-identity中创建新的用户分配的受管理身份(my-rg
  2. my-managed-identity分配Reader角色my-rg
  3. 将角色Managed Identity Operator分配给my-aks-sp中的AKS服务主体(my-managed-id

这是我的ARM模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]"
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]"
            }
        }
    ]
}

奇怪的是,有时这种部署不起作用。我经常会收到错误消息:

New-AzResourceGroupDeployment : 2:56:07 PM - Resource Microsoft.Authorization/roleAssignments 'd62bb9a1-bf0b-5a92-aca1-74beab087ee9' failed with message '{
  "error": {
    "code": "PrincipalNotFound",
    "message": "Principal fad453d06bd042148411606b74525ed2 does not exist in the directory 936529098-bafa-4c91-b54f-f012cc11eeec."
  }
}

我在这里想念什么吗?

azure azure-resource-manager
1个回答
0
投票

documentation from Microsoft解决了我的问题。

这是我完整的模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]",
                        "principalType": "ServicePrincipal" // This solved my issue
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]",
                "scope": "[resourceGroup().id]" //This is what I added to get it to work! 
            }
        }
        ]

}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.