我尝试了使用嵌套资源的明显方法:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
}
}
]
}
]
}
但是那行不通-它创建角色分配,但是创建资源分配级别,而不是网站级别。 (这是一个错误吗?)
如果我尝试明确指定范围:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
"scope": "[resourceId('Microsoft.Web/sites/', 'testapp'))]"
}
}
]
}
]
}
失败,表示作用域ID必须与资源的URI匹配。
我还尝试了使用非嵌套资源的一些选项,但是没有一个会通过。是否不支持此功能,或者我缺少某些可以使用的语法?
在这里找到答案:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/
范围标记不适用于单个角色分配。'name'标签似乎可以确定范围。
"parameters": {
"roleAssignmentsGuidFunctionsReader": {
"type": "string",
"defaultValue": "[newGuid()]"
},
"roleAssignmentsGuidFunctionsContributor": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"variables": {
"uniqueId": "[substring(uniqueString(resourceGroup().id),9,4)]",
"functionsName": "[concat('MyfuncApp','Functions',variables('uniqueId') )]",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Web/sites/providers/roleAssignments",
"name": "[concat(variables('functionsName'), '/Microsoft.Authorization/', parameters('roleAssignmentsGuidFunctionsContributor'))]",
"properties": {
"roleDefinitionId": "[variables('contributorRole')]",
"principalId": "[ reference( resourceId('Microsoft.Web/sites', variables('functionsName') ), '2018-11-01', 'Full').identity.principalId]" //,
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionsName'))]"
]
}
]