如何使用Azure CLI创建自定义角色?

时间:2016-11-05 07:22:51

标签: azure-cli

我正在尝试使用azure CLI在azure中创建自定义角色。我一直在关注这个演练:

https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-azure-cli/

我在角色定义中使用了完全相同的示例(仅针对我的subscriptionId进行调整)。当我运行azure role create时,输出看起来好像是成功创建的:

info:    Executing command role create
info:    Validating role definition
+ Creating role definition "6b07875c-fa5b-4fc9-b95d-a665c3b4ad48"
info:    Created role definition 6b07875c-fa5b-4fc9-b95d-a665c3b4ad48
data:    Name             : Virtual Machine Operator
data:    Id               : 6b07875c-fa5b-4fc9-b95d-a665c3b4ad48
data:    Description      : Can monitor and restart virtual machines.
data:    AssignableScopes : 0=/subscriptions/xxxx
data:    Actions          : 0=Microsoft.Storage/*/read, 1=Microsoft.Network/*/read, 2=Microsoft.Compute/*/read, 3=Microsoft.Compute/virtualMachines/start/action, 4=Microsoft.Compute/virtualMachines/restart/action, 5=Microsoft.Authorization/*/read, 6=Microsoft.Resources/subscriptions/resourceGroups/read, 7=Microsoft.Insights/alertRules/*, 8=Microsoft.Insights/diagnosticSettings/*, 9=Microsoft.Support/*
data:    NotActions       :
data:    IsCustom         : true
data:
info:    role create command OK

但是,当我运行azure role listazure role show "Virtual Machine Operator"返回时,新角色不会显示:

info:    Executing command role show
+ Searching for role definitions
info:    No role definition matching the search criteria was found
info:    role show command OK

我发现发生任何事情的唯一提示是,如果我再次尝试执行azure role create,则会返回此信息:

info:    Executing command role create
info:    Validating role definition
+ Creating role definition "ce84ed80-ec75-4465-b668-b0752b959fcd"
error:   A role definition cannot be updated with a name that already exists.
error:   Error information has been recorded to C:\Users\James\.azure\azure.err
error:   role create command failed

1 个答案:

答案 0 :(得分:0)

这可能是您要寻找的

这是用于在Azure中创建新角色的Azure CLI命令,其中RoleInfo.json是具有有关该角色的所有配置,范围,操作,数据操作的本地文件。

您需要遵循Microsoft的“自定义角色创建文档”,以确保以正确的方式设置了所有内容。

az role definition create --role-definition RoleInfo.json

例如,以下代码是RateCardQueryRole的示例json 

{
     “Name”: “MyRateCardRole”,
     “IsCustom”: true,
     “Description”: “Rate Card query role”,
     “Actions”: [
         “Microsoft.Compute/virtualMachines/vmSizes/read”,
         “Microsoft.Resources/subscriptions/locations/read”,
         “Microsoft.Resources/providers/read”,
         “Microsoft.ContainerService/containerServices/read”,
         “Microsoft.Commerce/RateCard/read”
     ],
     “AssignableScopes”: [
         “/subscriptions/YOUR_SUBSCRIPTION_ID”
     ]
}

现在,您可以在Azure CLI中使用以下命令检查新创建的自定义角色。

az role definition list --custom-role-only true --name "Role Name"

用新的自定义角色名称替换角色名称。

就是这样。瞧!希望这会有所帮助...

相关问题
最新问题