我需要Reader
在应用程序资源组之外授予对我的托管应用程序的访问权限。部署应用程序的用户Owner
在订阅中,因此部署应该通过,但当前失败,因为资源部署是在身份下发生的Appliance Resource Provider
而不是用户。有没有办法使用托管应用程序创建角色分配?
mainTemplate.json
(MSI 创建 + 嵌套模板尝试在订阅范围内创建角色分配)的片段:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {...},
"variables": {...},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('applicationName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
},
...
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('name')]",
"subscriptionId": "[subscription().subscriptionId]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('applicationName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"principalId": {
"value": "[reference(resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('applicationName'))).principalId]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string"
}
},
"variables": {},
"resources": [
// Role: Reader
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(parameters('principalId'), 'Subscription-Reader')]",
"properties": {
"principalId": "[parameters('principalId')]",
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
}
}
]
}
}
}
],
}
托管应用部署错误:
{
"status": "Failed",
"error": {
"code": "ApplianceDeploymentFailed",
"message": "The operation to create appliance failed. Please check operations of deployment 'xxx' under resource group '/subscriptions/xxx/resourceGroups/mrg-xxx-20210727122758'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"InvalidTemplateDeployment\",\r\n \"message\": \"The template deployment failed with error: 'Authorization failed for template resource 'f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d' of type 'Microsoft.Authorization/roleAssignments'. The client '8b967430-badb-45ba-8d11-bca192994047' with object id '8b967430-badb-45ba-8d11-bca192994047' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d'.'.\"\r\n }\r\n}"
}
]
}
}