使用InvalidCreateRoleAssignmentRequest通过ARM模板错误进行RBAC分配
下面是我的模板以及一个没有意义的错误,因为scope似乎顺序正确,并且允许按(https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/create)使用此表示法
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[ guid(resourceGroup().id, 'windowsserverstorage')]",
"dependsOn": ["[variables('storageaccountname')]"],
"properties": {
"roleDefinitionId": "[variables('Contributor')]",
"principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39",
"scope": "/subscriptions/24ba3e4c-45e3-4d55-8132-6731ca25547f/resourceGroups/MyDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd"
}
} ,
错误低于
Resource Microsoft.Authorization/roleAssignments '1aed14fd-8f7c-5636-989b-7c134b353fcc' failed with message '{
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '1aed14fd-8f7c-5636-989b-7c134b353fcc' is not valid. Role assignment scope
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourceGroups/myDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd' must match the scope specified on the URI
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourcegroups/myDemo'."
}
}'
如果我尝试分配如下所示的其他方式,则会引发不同的错误
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat('wkstorage2pzpd/blobServices/default/networkadmins', '/Microsoft.Authorization/', guid(resourceGroup().id, '1231'))]",
"dependsOn": [
"[variables('storageaccountname')]"
],
"properties": {
"roleDefinitionId": "[variables('Contributor')]",
"principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39"
}
},
错误
The template resource
'wkstorage2pzpd/blobServices/default/Microsoft.Authorization/a4b69ebe-d58c-5309-9385-0a2e26d343a3' for type 'Microsoft.Storage/storageAccounts/providers/roleAssignments' at line '179' and column '9' has incorrect segment lengths.
A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage
details.'.
3 个答案:
答案 0 :(得分:1)
如果要在存储帐户级别为服务主体分配角色,请尝试以下模板,该模板对我而言效果很好。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "String",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"type": "String",
"metadata": {
"description": "Built-in role to assign"
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"TestVariable": "[concat('YourStorageAccountName','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[variables('TestVariable')]",
"apiVersion": "2017-05-01",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
此外,如果要在容器级别分配角色,请参见此link。
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"apiVersion": "[variables('apiVersion')]",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID",
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataContributor')]",
"principalId": "[parameters('principalId')]"
}
}
答案 1 :(得分:0)
除了Joy的答案,您也可以使用下面的模板,对我来说效果很好。
参数模板:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"value": "xxxxxxxxxxxxxxxxxxxxxxxx"
},
"builtInRoleType": {
"value": "xxxxxxxxxxx"
},
"roleNameGuid": {
"value": "xxxxxxxxxxxxxxxxxxxxxxxx"
},
"storageAccountName": {
"value": "xxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
主模板:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"metadata": {
"description": "Built-in role to assign"
}
},
"roleNameGuid": {
"type": "string",
"metadata": {
"description": "A new GUID used to identify the role"
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account"
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"resourceName": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]"
},
"resources": [
{
"type": "/Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[variables('resourceName')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
答案 2 :(得分:0)
他正在尝试在资源本身的级别/范围内创建角色分配。
如果您使用此验证所选答案--> Az 角色分配列表--all 您将看到(使用所选答案)您将范围设置为资源组而不是资源本身。给出的答案是错误的。对吗?
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?