我有一个通过 ARM 模板定义的服务目录托管应用程序。在模板中,我创建了一个 linux VM 并运行了一个自定义脚本,该脚本从现有的 Azure Blob 存储下载所需的文件并启动我的应用程序。
我想使用 RBAC 来授予对现有 blob 存储的访问权限,以便在模板内不指定任何访问密钥或令牌,并且部署托管应用程序的用户不需要输入任何密钥或令牌。
因此,我在我的虚拟机上分配了以下角色来访问不同的资源组,从这个答案中获得灵感
{
"type": "Microsoft.Resources/deployments",
"name": "nested-role-assignment",
"apiVersion": "2017-05-10",
"resourceGroup": "myResourceGroup",
"subscriptionId": "[subscription().subscriptionId]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-01-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat('myStorageAccount', '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
"properties": {
"roleDefinitionId": "[variables('StorageBlobContributor')]",
"principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]",
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount')]"
}
}
]
}
}
}
这在我使用以 azure 门户全局管理员身份登录的 CLI 部署托管应用程序时有效。
当我创建托管应用程序定义并以 Azure AD 用户身份从服务目录部署应用程序时,我收到错误 -
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"ApplianceDeploymentFailed\",\r\n \"message\": \"The operation to create appliance failed. Please check operations of deployment 'managed-app' under resource group '/subscriptions/<subscr-id>/resourceGroups/<managed-rg>'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"InvalidTemplateDeployment\\\",\\r\\n \\\"message\\\": \\\"The template deployment failed with error: 'Authorization failed for template resource 'myResourceGroup/Microsoft.Authorization/<some-id>' of type 'Microsoft.Storage/storageAccounts/providers/roleAssignments'. The client '<client-id>' with object id '<client-id>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<subscr-id>/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount/providers/Microsoft.Authorization/roleAssignments/<some-id>'.'.\\\"\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"
}
]
}
它说客户端 ID 无权执行操作“Microsoft.Authorization/roleAssignments/write”。我在这里找不到客户端 ID 代表什么。
为了对此进行分类,我为我的用户分配了“所有者”角色,以便它可以“编写”角色分配,但这并没有帮助。收到相同的错误。
Azure AD 用户不能在不同的资源组中编写角色分配是有道理的。在那种情况下,这里的正确解决方案是什么?
总之,如何使用 arm 模板授予对由服务目录应用程序创建的 VM 的访问权限,以便它可以从现有的 blob 存储(使用 RBAC)下载文件?
- 编辑 -
我之前使用的是“系统分配”身份,但我需要一个用户分配的身份。按照本指南,我创建了一个用户分配的身份(在门户中),并授予它访问我的 blob 存储的权限。然后我更新createUiDefinition了在部署我的托管应用程序时选择身份。上面提到的错误消失了,但是标识没有分配给新创建的虚拟机。
我尝试通过以下方式将身份分配给VM mainTemplate-
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2018-10-01",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[variables('userAssignedIdentity')]": {}
}
},
但这会产生与以前类似的错误-
"The client 'some-id' with object id 'some-id' has permission to perform action 'Microsoft.Compute/virtualMachines/write'
on scope '/subscriptions/subscr-id/resourcegroups/mrg-20200827143250/providers/Microsoft.Compute/virtualMachines/new-vm';
however, it does not have permission to perform action
'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'
on the linked scope(s) '/subscriptions/subscr-id/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-user-identity' or the linked scope(s) are invalid.
我创建了授权为“所有者”和“托管身份提供者”的托管应用程序,还使用具有“所有者”角色的用户登录,但仍然没有运气。