我有一个存储帐户,我想在“存储帐户密钥操作员服务角色”中授予我的应用服务之一的权限。类似于 Azure 门户中的以下操作。
问问题
689 次
2 回答
1
也欢迎任何好的解决方法。
这里有一些解决方法。
1.使用powershell,参考这个链接。
New-AzureRmRoleAssignment -ObjectId <ObjectId> -RoleDefinitionName "Storage Account Key Operator Service Role" -Scope "<your storage account resourceID>"
2.使用Azure CLI,参考这个链接。
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id "<object-id>" --scope "<your storage account resourceID>"
3.使用Rest API,参考这个链接。
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01
4.使用ARM模板,参考这个链接。
于 2018-10-12T06:23:05.080 回答
0
在花了这么多时间之后,我能够使用 python 来授权应用服务。这是我遵循的方法
您使用的凭据应属于订阅所有者,因为不允许贡献者进行访问更改。
这是需要安装的python包
azure-mgmt-authorization==0.50.0
azure-graphrbac==0.51.0
这是代码片段
subscription_id = config['SUBSCRIPTION_ID']
credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID']
)
graph_credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID'],
resource="https://graph.windows.net"
)
def get_object_id(full_app_name, resource_name_prefix, resource_type="Microsoft.Web/sites"):
gcli = GraphRbacManagementClient(graph_credentials, config['AZURE_TENANT_ID'])
sp = gcli.service_principals.list(filter="displayName eq '%s'" % full_app_name)
sp = next(sp, False)
if sp:
print("Found Service Principal %s" % sp.display_name)
return sp.object_id
else:
raise Exception("Service Principal not found")
def delete_keylistrole_appservice(resource_group_name, storage_name, role_assignment_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.delete(scope, role_assignment_name)
print("%s App Service access revoked %s Storage account" % (role_assignment_name, storage_name))
def assign_keylistrole_appservice(resource_group_name, storage_name, app_service_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
role_assignment_name = str(uuid.uuid4())
role_id = "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/%s" % (subscription_id, "81a9662b-bebf-436f-a333-f67b29880f12")
principal_id = get_object_id(app_service_name)
props = RoleAssignmentProperties(role_definition_id=role_id, principal_id=principal_id)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.create(scope, role_assignment_name, properties=props)
print("%s App Service authorized to access %s Storage account" % (app_service_name, storage_name))
return role_assignment_name
请注意 graph_credentials 它们与凭据不同,因为它们需要 resource="https://graph.windows.net"
于 2018-10-18T14:25:14.353 回答