0

我正在尝试创建存储帐户、blob 存储,然后尝试在存储帐户上创建角色。下面是代码 storagedeploy.json:

 {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "Project": {
          "type": "string",
          "metadata": {
            "description": "Project name"
          }
        },
        "Environment": {
          "type": "string",
          "metadata": {
            "description": "Project name"
          }
        },
        "location": {
          "type": "string",
          "metadata": {
            "description": "Location for all resources."
          }
        }
      },
      "variables": {
        "storageAccountName": "[toLower(concat(parameters('Project'), parameters('Environment'), uniqueString(resourceGroup().id)))]"
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-04-01",
          "name": "[variables('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "networkAcls": {
              "bypass": "AzureServices",
              "virtualNetworkRules": [],
              "ipRules": [],
              "defaultAction": "Allow"
            },
            "supportsHttpsTrafficOnly": true,
            "encryption": {
              "services": {
                "file": {
                  "enabled": true
                },
                "blob": {
                  "enabled": true
                }
              },
              "keySource": "Microsoft.Storage"
            },
            "accessTier": "Hot"
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices",
          "apiVersion": "2019-04-01",
          "name": "[concat(variables('storageAccountName'), '/default')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "cors": {
              "corsRules": []
            },
            "deleteRetentionPolicy": {
              "enabled": false
            }
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
          "apiVersion": "2019-04-01",
          "name": "[concat(variables('storageAccountName'), '/default/mycompany-project123-dev-data-store-ue1')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "publicAccess": "None"
          }
        },
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "name": "[guid(resourceGroup().id)]",
          "apiVersion": "2019-04-01-preview",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
            "principalId": "xxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxx",
            "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          }
        }

      ]
    }

在执行时,我遇到了以下问题:

PS C:\work\azure\azure-devops\resourcetemplates\staticresources> az group deployment create --resource-group myproject-devops --template-file .\storagedeploy.json
Please provide string value for 'Project' (? for help): ert
Please provide string value for 'Environment' (? for help): fds
Please provide string value for 'location' (? for help): eastus2
Deployment failed. Correlation ID: xxxx-x-x-x-x--x-xxxxxxx. {
  "error": {
    "code": "InvalidCreateRoleAssignmentRequest",
    "message": "The request to create role assignment 'xxxx--x-x-x--x-x-x-sxxssxxx' is not valid. Role assignment scope '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourceGroups/myproject-devops/providers/Microsoft.Storage/storageAccounts/ertfds5h4nafspjqzii' must match the scope specified on the URI '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourcegroups/myproject-devops'."
  }
}

我试图谷歌,但得到不同的解决方案。我到底在哪里失踪。我试图在堆栈溢出上关注这个问题

另外,我正在尝试为特定资源分配权限,例如:要分配给存储,下面是运行良好的代码:

{
      "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
      "name": "[concat(variables('storageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      }
    }

但是我同样需要处理 cosmosDB、redis 缓存、密钥库,但它不起作用,不知道我在哪里失踪。以下是代码:

对于 cosmosDB::

{
      "type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
      "name": "[concat(variables('cosmosDBAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', variables('cosmosDBAccountName'), parameters('Project'))]",
        "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
      }
    }

对于 Redis 缓存::

{
      "type": "Microsoft.Cache/Redis/providers/roleAssignments",
      "name": "[concat(variables('redisCacheName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
      }
    }

对于密钥保管库:

{
      "type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
      "name": "[concat(variables('keyVaultName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
      }
    }
4

2 回答 2

0

对您的 json 进行了一些更改,现在它对我有用:

 {....
     .......
        ......

        {
          "type": "Microsoft.Authorization/roleAssignments",
          "name": "[guid(resourceGroup().id)]",
          "apiVersion": "2019-04-01-preview",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
            "principalId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
            "scope": "[resourceGroup().Id]"
          }
        }

      ]
    }

正如错误所说,在这里你应该让你的roleassignment范围与你的resource group.

在此处输入图像描述

在此处输入图像描述

于 2019-11-29T14:00:35.077 回答
0

这意味着您尝试分配的角色无法分配给该范围。您应该更改角色以允许将其分配给该范围,或者您应该使用另一个角色\创建一个新的自定义角色。

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes

于 2019-11-29T10:02:14.223 回答