3

将市场托管应用程序产品/服务部署到客户订阅时,您可以在与托管应用程序关联的托管资源组中创建一个身份。但是,为了使该身份具有任何权限,必须为其分配一个角色。

当发布者和客户在同一个租户中时,可以按预期创建角色分配,并且身份在托管资源组内具有权限。

但是,当客户在不同的租户(和活动目录)中时,我会收到以下错误:

在租户“[PUBLISHER TENANT ID]”中找不到委托人。如果您尝试将此角色分配放在租户“[客户租户 ID]”中,则必须指定 delegatedManagedIdentityResourceId 属性

看看上面提到的delegatedManagedIdentityResourceId,它很快就会变得很毛茸茸,我不确定这是我想要走的路,或者它是否能让我到达我需要的地方,即在托管资源组中拥有一个身份有权在托管资源组中执行读/写操作。

谢谢你。

4

4 回答 4

1

I ran into exact same issue. My case is also on publishing managed application via marketplace offer. There are actually 2 related issues on this.

  1. Assigning a role to the managed resource group will fail during deployment.

Note that this is a user in customer's tenant deploying this managed application from marketplace. However, this roleAssignments block is trying to locate the principal from publisher's tenant. But the system generated identity is created in customer's tenant since managed application is deployed onto customer's tenant after all.

2.

The managed identity created from mainTemplate.json (either a User Managed Identity or System Managed Identity) is not able to access any resource from within the mainTemplate.json. This is due to the deny statement created by marketplace. So even if a role assignment is targeting a resource within the template, the deployment will show success but the actual assignment will not be created.

So the workaround is to create an application in the publisher's AD and add it to a dedicated group, as discussed here

Then create a client secret for this application. This will give this client id full permission to all resources (being in the admin group after all). Then any application code running in the managed resource group will have to authenticate with the AD with the credentials. A key vault should be created to store the credentials to prevent customer from being able to read it.

At the end of the day, this approach is needed if your application code needs to execute azure management API to read information.

于 2020-06-30T16:24:42.350 回答
1

托管标识资源只能访问其自己的租户中的资源。目前托管身份不支持跨租户场景。请参考微软官方文档中的已知问题。

于 2020-06-03T16:12:38.767 回答
1

所以我在以下方面有一些运气:

  1. 创建一个以所有者为范围的托管身份resourceGroup().id- 此身份似乎只限于客户的租户(我无法使用需要任何类型的订阅/资源访问的身份执行任何操作......有趣的是,当以发布者身份登录时我可以看到这个身份是被授予Owner的,但是作为客户登录时什么也没透露?

以发布者身份登录 登录客户

  1. 创建第二个托管身份 - 并将 (1) 托管身份设置为delegatedManagedIdentityResourceId这似乎生成了一个托管身份,该身份现在范围为客户,因此第二个身份似乎能够分配给它的角色。

从发布者的角度来看的消费者托管身份 作为客户的消费者管理身份视图

我仍然不完全确定我为什么需要这样做......但是现在当我将我的消费者托管身份分配给我的托管解决方案中的虚拟机时,这个虚拟机能够访问托管资源组中的所有资源。而为 VM 分配第一个托管标识给我带来了问题。

手臂

        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "2018-11-30",
            "name": "publisherMI",
            "location": "[parameters('location')]"
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2021-04-01-preview",
            "name": "[guid('bootstrapRoleAssignmentId')]",
            "dependsOn": [
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            ],
            "properties": {
                "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI'), '2018-11-30').principalId]",
                "scope": "[resourceGroup().id]",
                "principalType": "ServicePrincipal"
            }
        },
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "2018-11-30",
            "name": "consumerMI",
            "location": "[parameters('location')]"
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2021-04-01-preview",
            "name": "[guid('consumerMiRoleAssignmentId')]",
            "dependsOn": [
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'consumerMI')]",
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            ],
            "properties": {
                "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'consumerMI'), '2018-11-30').principalId]",
                "scope": "[resourceGroup().id]",
                "principalType": "ServicePrincipal",
                "delegatedManagedIdentityResourceId" : "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'publisherMI')]"
            }
        },
于 2021-10-05T03:11:22.087 回答
1

对于在市场上发布的托管应用程序,您知道发布者和客户存在于不同的租户中。

现在,当客户部署应用程序时,其意图是发布者将管理托管资源组中的资源。因此,作为模板一部分发生的任何角色分配都将发生在 PUBLISHER 的租户中。因此,这意味着在查找要分配给角色定义的委托人时,部署将仅在 PUBLISHER 租户中查找委托人。

在像您这样的情况下,托管身份是作为模板本身的一部分创建的,身份是在客户租户中创建的,但是如果您尝试创建角色分配,它将失败,因为它不会在出版商租户。要解决此问题,您需要指定“delegatedManagedIdentityResourceId”属性。此值应该是为其创建托管标识的资源的 resourceId。

  • 对于系统分配的标识,这将是具有标识的资源的资源标识(例如,函数应用程序\逻辑应用程序的资源标识)
  • 对于 User assigned ,它将是身份本身的资源 id。
于 2020-09-12T00:12:33.107 回答