如何使用 BICEP 将 Azure AD PIM 分配给自定义 RBAC 角色
我正在尝试使用下面的 BICEP 模板将 PIM 分配给范围订阅级别的自定义 RBAC 角色。 targetScope = '订阅' 参数开始时间字符串 = utcNow()
resource symbolicname 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: 'string'
scope: subscription()
properties: {
principalId: 'xxxx'
requestType: 'AdminAssign'
roleDefinitionId:'xxxx'
scheduleInfo: {
expiration: {
duration: 'P365D'
//endDateTime: 'string'
type: 'AfterDuration'
}
startDateTime: startTime
}
/* targetRoleEligibilityScheduleId: 'xxxxx'
targetRoleEligibilityScheduleInstanceId: 'string'
ticketInfo: {
ticketNumber: 'string'
ticketSystem: 'string'
}*/
}
}
对于PrincipalID,我提供了Azure AD 组的对象ID。 对于 roleDefinitionID,我提供了自定义角色的角色定义 ID。
但是,我在通过 Azure CLI 部署时遇到了错误:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"target": "/subscriptions/xxxx/providers/Microsoft.Resources/deployments/Mscript",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "InvalidRoleAssignmentRequest",
"message": "The role assignment request id is invalid."
}
]
}
}
请提供此问题的解决方案。
“角色分配请求 ID 无效。”:
当我在我的环境中尝试时,也收到了相同的错误,如图所示。
在对您的问题执行解决方法后,我发现了请求失败的原因。根据二头肌的命名限制,您必须以正确且独特的格式提供
Request ID
,类似于 name: guid(resourceGroup().id, principalId, 'abcxx')
。
targetScope = 'subscription'
param startTime string = utcNow()
param roleDefinitionId string = 'xxxxx'
param principalId string = 'xxx'
param subscriptionId string = 'xxxx'
resource pimAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: guid(subscription().id, principalId, roleDefinitionId, 'abcxxx')
properties: {
principalId: principalId
requestType: 'AdminAssign'
roleDefinitionId: roleDefinitionId
scheduleInfo: {
expiration: {
duration: 'P365D'
type: 'AfterDuration'
}
startDateTime: startTime
}
}
}
请参阅此文档以获取更多相关信息。