Azure 二头肌在不同订阅/资源组中的存储帐户上设置角色分配

您应该在这里使用二头肌模块。组合

modules

scope

针对您的情况，我编写了一个示例并进行了测试。

main.bicep

param roleId string
param principalId string

param storageAccountRgName string
param storageAccountName string

module asModule 'roleAssign.bicep' = {
  scope: resourceGroup(storageAccountRgName)
  name: 'deploymentRoleAssign'
  params: {
    accountName: storageAccountName
    principalId: principalId
    roleId: roleId
  }
}

roleAssign.bicep

param accountName string
param roleId string
param principalId string

resource account 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
  name: accountName
}

resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: account
  name: roleId
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: account
  name: guid(account.id, principalId, roleDefinition.id)
  properties: {
    roleDefinitionId: roleDefinition.id
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

deploy.ps1

$rgName = "wb-deployment-rg"
$location = "eastus"

$storageAccountRgName = "wb-sa-rg"
$storageAccountName = "wbsaxxx"

$roleId = 'xxxxx'
$principalId = 'xxxx'

New-AzResourceGroup -Name $rgName -Location $location -Force

$templateFile = "main.bicep"

$params = @{
  roleId = $roleId
  principalId = $principalId
  storageAccountRgName = $storageAccountRgName
  storageAccountName = $storageAccountName
}

New-AzResourceGroupDeployment `
  -Name 'wbtest' `
  -ResourceGroupName $rgName `
  -TemplateFile $templateFile `
  -TemplateParameterObject $params