我在存储帐户 RBAC 中将角色分配给托管身份时遇到错误
代码:
RoleAssignmentCreateOrUpdateContent roleData = new RoleAssignmentCreateOrUpdateContent(
roleDefinitionId: new ResourceIdentifier(string.Concat("/subscriptions/",
SubscriptionId, "/providers/Microsoft.Authorization/roleDefinitions/", roleId)),
principalId: (Guid)userIdentity.PrincipalId
)
{
PrincipalType = RoleManagementPrincipalType.ServicePrincipal
};
ArmOperation<RoleAssignmentResource> roleAssignmentOperation =
roleCollection.CreateOrUpdateAsync(
WaitUntil.Completed,
Guid.NewGuid().ToString(),
roleData
).GetResult();
这是我遇到的错误
ERROR: System.Exception: The client 'xxx' with object id
'xxx' does not have authorization to perform action
'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxx
/resourceGroups/name/providers/Microsoft.Storage/storageAccounts/name/providers
/Microsoft.Authorization/roleAssignments/xxx' or the scope is invalid.
If access was recently granted, please refresh your credentials.
ERROR: Status: 403 (Forbidden)
ERROR: ErrorCode: AuthorizationFailed
对象 ID 为“xxx”的客户端“xxx”无权执行操作“Microsoft.Authorization/roleAssignments/write” 范围 '/subscriptions/xxx /resourceGroups/name/providers/Microsoft.Storage/storageAccounts/name/providers /Microsoft.Authorization/roleAssignments/xxx' 或范围无效
如果用户或客户端没有执行该操作所需的角色,通常会发生此错误。
要为托管标识分配存储帐户角色分配,用户或客户端必须具有
User Access Administrator
角色或 Owner
角色。
要解决该错误,在您的情况下尝试将其中一个角色分配给客户端(对象 ID 为“xxx”的客户端“xxx”):
转到 Azure 门户 -> 订阅 -> 选择你的订阅 -> 添加 -> 添加角色分配 -> 选择特权管理员角色 -> 用户访问管理员
将角色分配给用户(对象 ID 为“xxx”的客户端“xxx”):
分配角色后,您将能够为托管标识分配存储帐户角色分配。