Azure:通过ARM模板向存储容器分配角色

时间:2019-03-08 08:37:24

标签: azure azure-storage-blobs arm-template azure-storage-account

我正在尝试通过手臂模板将角色“ Storage Blob数据贡献者(预览)”分配给特定的存储容器。但是我只是不知道正确的语法。

这就是我所拥有的:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "allowedValues": [
                "Contributor",
                "Reader",
                "StorageBlobDataContributor"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "apiVersion": "2017-05-01",
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "TestVariable": "[concat('STORAGEACCOUNTNAME','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "[variables('TestVariable')]",
            "properties": {
                "roleDefinitionId": "[variables('Reader')]",
                "principalId": "[parameters('principalId')]"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/containers/blobCONTAINERNAME/providers/Microsoft.Authorization/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/blobServices/containers/default/blobCONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ],
    "outputs": {}
}

我可以成功将读者角色附加到存储帐户本身。 但是对于容器,我收到以下错误:

    new-AzResourceGroupDeployment : 09:21:24 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource
'STORAGEACCOUNTNAME/blobServices/containers/CONTAINERNAME/Microsoft.Authorization/GUID' for type
'Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/default/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments' at line '44' and column '9' has incorrect
segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see
https://aka.ms/arm-template/#resources for usage details.'.

我尝试了多种方法来尝试附加角色,以至于我脱离了想法。 有人可以帮我吗?

3 个答案:

答案 0 :(得分:1)

进行一些小调整:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

这样,我可以在容器本身上分配角色。感谢4c74356b41为我指出正确的方向

答案 1 :(得分:0)

您需要构造如下内容:

resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID

和resourceId通常被构造为

type: provider/namespace
name: name

provider/namespace/name

例如,对于子网,它将是(注意,从第一行开始,每行依次占用1个分段,第一个总是2个分段):

type: microsoft.network/virtualnetworks/subnets
name: vnetName/subnetName

microsoft.network/virtualnetworks/vnetName/subnets/subnetName

如果可能的话,看起来像这样:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID

答案 2 :(得分:0)

使用Erik's answer above(当然,我已经投票通过了 Erik!),我能够解决 RBAC 权限的类似问题使用ARM模板在存储帐户队列上。

这是一个示例ARM模板,用于将发件人角色添加到存储帐户的单个队列中... 

<..snip..>
"parameters": {
    "PrincipalId": {
        "type": "string",
        "minLength": 36,
        "maxLength": 36
    }
},
"variables": {
    "SubscriptionId": "[concat('/subscriptions/', subscription().subscriptionId)]",
    "RoleDefinitions": "[concat(variables('SubscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/')]",
    "QueueSenderRole": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a"
},
"resources": [        
    {
        "type": "Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments",
        "name": "mystorageaccount/default/myqueue/Microsoft.Authorization/00000000-1234-0000-5678-000000000000", // NB example only; pick an idempotent but unique value
        "apiVersion": "2018-09-01-preview",
        "properties": {
            "roleDefinitionId": "[concat(variables('RoleDefinitions'), variables('QueueSenderRole'))]",
            "principalId": "[parameters('PrincipalId')]"
        }
    }
]
相关问题
最新问题