使用ARM将Azure RBAC应用于资源

时间:2018-09-14 23:54:59

标签: json azure rbac arm-template

是否可以通过ARM在资源级别应用RBAC规则?我能够遵循this Microsoft guide在资源组级别而不是资源上添加用户/角色。特别是,我试图通过ARM向AppInsights添加新的读者角色。但是,当我调整范围时,模板只会因以下错误而失败:

#marker-container img{
    position: relative;
    margin: -9px 0 0 -9px;
    width: 18px;
    z-index: 1;
    border-radius: 50%;
    cursor: pointer;
    top: 0;
    animation: pulse 2.5s infinite;
    transition: .4s;
}
@keyframes pulse {
  0% {
    background-color: #f40011;
  }
  100% {
    background-color: #FF4136;
  }
}

我想知道如果不能更改范围变量是什么。我应该在其他地方修改范围以使其正常工作吗?

谢谢!

5 个答案:

答案 0 :(得分:1)

您可以通过ARM在资源级别上应用RBAC规则,并且这里有示例模板在Azure VM上应用RBAC规则:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "Principal ID associated with the subscription ID"
            }
        },
        "virtualMachineName": {
            "type": "string",
            "metadata": {
                "description": "Name of the virtual machine"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "metadata": {
                "description": "Built In Role Type for the Virtual Machine"
            },
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader",
                "Virtual Machine Contributor"
            ]
        },
        "guid": {
            "type": "string",
            "metadata": {
                "description": "A new GUID used to identify the role"
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]",
        "resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]"
    },
    "resources": [
        {
            "type": "Microsoft.Compute/virtualMachines/providers/roleAssignments",
            "apiVersion": "2017-05-01",
            "name": "[variables('resourceName')]",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ]
}

希望这会对您有所帮助。

答案 1 :(得分:1)

关键是要放下scope属性,而应将角色分配嵌套在所需资源下,方法是使用Microsoft.FooResource/BarSubType/providers/roleAssignments作为类型,并使用以下格式命名:{{1} }。请注意,GUID应该是稳定的,但对于此角色分配是唯一的,一个简单的选项是{resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}

这里是一个模板,向您展示如何使用在同一模板中定义的用户分配的受管身份将RBAC应用于单个资源:

guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish')

来源:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

答案 2 :(得分:0)

可以使用ARM在资源级别上应用RBAC。

您所引用的示例显示了如何在特定资源组上应用RBAC,其中范围是资源组的路径。

在这里,您正在尝试为特定资源分配角色。将范围从资源组更改为资源(AppInsights)将起作用。

从异常中,我可以看到资源的路径可能不是预期的格式。

AppInsights的路径应采用以下格式,

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}

希望这样设计范围会有所帮助!

答案 3 :(得分:0)

Microsoft终于提供了解释此问题的文档:

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#resource-scope

答案 4 :(得分:0)

同意有关此问题的文档用处不大。我想将一组角色ID添加为App Insight资源上的所有者,而又不使用户成为资源组级别的所有者。我不想使用嵌套资源方法,因为我想遍历一个对象数组以动态创建角色,因此在调整类型,名称和作用域属性之后,以下资源块才对我有用:

    {
      "comments": "Add the Application Insights resource",
      "apiVersion": "2014-04-01",
      "name": "[variables('appInsightsName')]",
      "type": "Microsoft.Insights/components",
      "location": "[resourceGroup().location]",
      "properties": {
        "ApplicationId": "[variables('appInsightsName')]"
      }
    },
    {
      "comments": "Add the IAM roles to the App Insights resource",
      "condition": "[parameters('isProduction')]",
      "type": "Microsoft.Insights/components/providers/roleAssignments",
      "name": "[concat(variables('appInsightsName'),'/Microsoft.Authorization/',guid(parameters('roleAssignments')[copyIndex()].principalId))]",
      "apiVersion": "2017-05-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", // Owner Role
        "principalId": "[parameters('roleAssignments')[copyIndex()].principalId]",
        "scope": "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      },
      "copy": {
        "name": "appInsightsRoleAssignments",
        "count": "[length(parameters('roleAssignments'))]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
      ]
    }
相关问题
最新问题