我如何在Azure资源管理器部署模板中为网站创建角色分配?

问题描述 投票:3回答:1

我尝试了使用嵌套资源的明显方法:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2016-08-01",
      "name": "testapp",
      "location": "[resourceGroup().location]",
      "resources": [
        {
          "type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
          "apiVersion": "2015-07-01",
          "name": "<guid>",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites/', 'testapp')]"
          ],
          "properties": {
            "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
            "principalId": "<guid>",
          }
        }
      ]
    }
  ]
}

但是那行不通-它创建角色分配,但是创建资源分配级别,而不是网站级别。 (这是一个错误吗?)

如果我尝试明确指定范围:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2016-08-01",
      "name": "testapp",
      "location": "[resourceGroup().location]",
      "resources": [
        {
          "type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
          "apiVersion": "2015-07-01",
          "name": "<guid>",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites/', 'testapp')]"
          ],
          "properties": {
            "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
            "principalId": "<guid>",
            "scope": "[resourceId('Microsoft.Web/sites/', 'testapp'))]"
          }
        }
      ]
    }
  ]
}

失败,表示作用域ID必须与资源的URI匹配。

我还尝试了使用非嵌套资源的一些选项,但是没有一个会通过。是否不支持此功能,或者我缺少某些可以使用的语法?

authorization azure-resource-manager
1个回答
0
投票

在这里找到答案:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

范围标记不适用于单个角色分配。'name'标签似乎可以确定范围。

  "parameters": {

    "roleAssignmentsGuidFunctionsReader": {
      "type": "string",
      "defaultValue": "[newGuid()]"
    },
    "roleAssignmentsGuidFunctionsContributor": {
      "type": "string",
      "defaultValue": "[newGuid()]"
    }
   },
  "variables": {
    "uniqueId": "[substring(uniqueString(resourceGroup().id),9,4)]",
    "functionsName": "[concat('MyfuncApp','Functions',variables('uniqueId') )]",
    "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"  
  },
  "resources": [
    {
      "apiVersion": "2017-09-01",
      "type": "Microsoft.Web/sites/providers/roleAssignments",
      "name": "[concat(variables('functionsName'), '/Microsoft.Authorization/', parameters('roleAssignmentsGuidFunctionsContributor'))]",
      "properties": {
        "roleDefinitionId": "[variables('contributorRole')]",
        "principalId": "[ reference( resourceId('Microsoft.Web/sites', variables('functionsName') ), '2018-11-01', 'Full').identity.principalId]" //,
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionsName'))]"
      ]
    }
 ]
© www.soinside.com 2019 - 2024. All rights reserved.