如何使用服务主体部署本地网关服务

时间:2017-12-14 09:53:08

标签: azure azure-devops azure-resource-manager gateway

我在Azure中使用本地网关连接,并尝试使用VSTS部署中的ARM模板进行部署。 VSTS部署具有资源管理器端点。似乎服务主体无法在Azure中创建本地数据网关服务,因为它没有对位于以下位置的已注册网关的权限:

/subscriptions/{subscriptionid}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/{OnPremGatewayId}

ARM模板中的代码非常简单,看起来像这样:

{
  "type": "Microsoft.Web/connectionGateways",
  "name": "[variables('OnPremGatewayName')]",
  "apiVersion": "2016-06-01",
  "location": "[resourceGroup().location]",
  "scale": null,
  "properties": {
    "connectionGatewayInstallation": {
      "id": "[concat('/subscriptions/', subscription().subscriptionid, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ','')),'/connectionGatewayInstallations/', parameters('OnPremGatewayId'))]"
    }
  },
  "dependsOn": []
},

部署会抛出此错误:

"error": {
"code": "AuthorizationFailed",
"message": "The connection gateway 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' does not exist or the client with object id 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' under tenant id '********' does not have administrative rights on it."
}
}'

我发现添加了一个可以分配给角色的新操作:

/Microsoft.Web/Locations/connectiongatewayinstallations/Read

我已经使用此操作创建了一个角色并将其添加到服务主体,但是dat似乎没有帮助。我使用以下脚本来创建角色:

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "On premises data gateway reader"
$role.Description = "Read registered On premises data gateways"
$role.Actions.Clear()
$role.Actions.Add("/Microsoft.Web/Locations/connectiongatewayinstallations/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}")
New-AzureRmRoleDefinition -Role $role
Get-AzureRmRoleDefinition -Name "On premises data gateway reader"

如何在注册网关上授予VSTS服务主体管理权限?

0 个答案:

没有答案