我在Azure中使用本地网关连接,并尝试使用VSTS部署中的ARM模板进行部署。 VSTS部署具有资源管理器端点。似乎服务主体无法在Azure中创建本地数据网关服务,因为它没有对位于以下位置的已注册网关的权限:
/subscriptions/{subscriptionid}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/{OnPremGatewayId}
ARM模板中的代码非常简单,看起来像这样:
{
"type": "Microsoft.Web/connectionGateways",
"name": "[variables('OnPremGatewayName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"connectionGatewayInstallation": {
"id": "[concat('/subscriptions/', subscription().subscriptionid, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ','')),'/connectionGatewayInstallations/', parameters('OnPremGatewayId'))]"
}
},
"dependsOn": []
},
部署会抛出此错误:
"error": {
"code": "AuthorizationFailed",
"message": "The connection gateway 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' does not exist or the client with object id 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' under tenant id '********' does not have administrative rights on it."
}
}'
我发现添加了一个可以分配给角色的新操作:
/Microsoft.Web/Locations/connectiongatewayinstallations/Read
我已经使用此操作创建了一个角色并将其添加到服务主体,但是dat似乎没有帮助。我使用以下脚本来创建角色:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "On premises data gateway reader"
$role.Description = "Read registered On premises data gateways"
$role.Actions.Clear()
$role.Actions.Add("/Microsoft.Web/Locations/connectiongatewayinstallations/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}")
New-AzureRmRoleDefinition -Role $role
Get-AzureRmRoleDefinition -Name "On premises data gateway reader"
如何在注册网关上授予VSTS服务主体管理权限?