Question

设置系统分配的托管身份后，我试图将角色分配给Web应用程序。问题是，如果在设置受管身份之后立即分配角色，则会抛出错误。

2019-04-04T07:57:12.9852397Z ##[error]Principal 438350e59xxxxxxxxxx935e5c135 does not exist in the directory ***.

因此，我添加了重试代码以尝试分配角色，直到主体可用为止。

$webappname = "devt002"
$resourcegroup = "devt002RG"
$roleDefinitionName = "Storage Blob Data Contributor"

#Set the system assigned managed identity
Set-AzureRmWebApp -AssignIdentity $true -ResourceGroupName "$resourcegroup" -Name "$webappname"

#Get webapp object id
$webapp = Get-AzureRmWebApp -ResourceGroupName "$resourcegroup" -Name "$webappname"
$objectid = [System.Guid]::Parse($webapp.Identity.PrincipalId)
write-host "Object ID :" $objectid

#Get resource id (Scope) for storage account
$webapp2 = Get-AzureRmResource -ResourceGroupName "$resourcegroup" -Name "$webappname" -ResourceType "Microsoft.Storage/storageAccounts"
$resid = $webapp2.ResourceId.ToString()
write-host "Resource ID :" $resid

#Get Assign role if already exist
$roles = Get-AzureRmRoleAssignment -ObjectId "$objectid"
write-host "Already Assigned Roles :" $roles.RoleDefinitionName

if($roles.RoleDefinitionName -Match "Storage Blob Data Contributor")
{
    Write-Host "Storage Blob Data Contributor role already exist !!!"
}
else
{
    #Assign role to web app (Object id)
    $retryCount = 5
    $totalRetries = $retryCount
    While ($True) 
    {
        Try 
        {
            $Null = New-AzureRmRoleAssignment -ObjectId $objectid -RoleDefinitionName "$roleDefinitionName" -Scope "$resid"
            Write-Host "Storage Blob Data Contributor role assign successfully !!!"
            Return
        }
        Catch 
        {
            # The principal could not be found. Maybe it was just created.
            If ($retryCount -eq 0) 
            {
                Write-Error "An error occurred: $($_.Exception)`n$($_.ScriptStackTrace)"
                throw "The principal '$objectId' cannot be granted '$roleDefinitionName' role on the web app '$webappname'. Please make sure the principal exists and try again later."
            }
            $retryCount--
            Write-Warning "  The principal '$objectId' cannot be granted '$roleDefinitionName' role on the web app '$webappname'. Trying again (attempt $($totalRetries - $retryCount)/$totalRetries)"
            Start-Sleep 10
        }
    }

}

但是这次发生以下错误。奇怪的是，角色已分配给网络应用。

2019-04-04T10:00:58.8423494Z Object ID : 31d52967-xxxx-xxxx-xxxx-b3944da09ab2
2019-04-04T10:01:02.6524758Z Resource ID : /subscriptions/4364666b-xxxx-xxxx-xxxx-47158904c439/resourceGroups/devt002RG/providers/Microsoft.Storage/storageAccounts/devt002
2019-04-04T10:01:04.2157521Z Already Assigned Roles : 
2019-04-04T10:01:14.1407666Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 1/5)
2019-04-04T10:01:14.1417125Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 1/5)
2019-04-04T10:01:25.7075458Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 2/5)
2019-04-04T10:01:25.7076201Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 2/5)
2019-04-04T10:01:37.5640393Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 3/5)
2019-04-04T10:01:37.5640997Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 3/5)
2019-04-04T10:01:50.5967259Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 4/5)
2019-04-04T10:01:50.5967755Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 4/5)
2019-04-04T10:02:02.7386688Z ##[warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 5/5)
2019-04-04T10:02:02.7387138Z ##[debug]Processed: ##vso[task.logissue type=warning]  The principal '31d52967-xxxx-xxxx-xxxx-b3944da09ab2' cannot be granted 'Storage Blob Data Contributor' role on the web app 'devt002'. Trying again (attempt 5/5)
2019-04-04T10:02:16.4259863Z ##[error]An error occurred: Microsoft.Rest.Azure.CloudException: The role assignment already exists.

Answer 1

它试图告诉您什么-等效角色分配存在一个不同的名称，并且您不能两次使用相同的名称进行相同的分配。

所以我想问题是，为什么您需要使用不同的名称两次分配相同的权限

Answer 2

我认为应该确保角色分配。对于相同的作用域或资源，只能将相同的角色分配给服务主体一次。在这种情况下，这意味着您只能将存储帐户的角色“存储Blob数据贡献者”分配给您的应用程序身份一次。

因此，当您检查角色分配是否存在时，只需检查PowerShell命令的结果是否为空。

Get-AzureRmRoleAssignment -ObjectId "$objectid" -RoleDefinitionName "$roleDefinitionName" -Scope "$resid"

我认为while循环不合适。如果角色分配可以成功创建，则只需一次。再过一次是没有意义的。因此，您只需要检查它是否成功。如果不是，那是什么原因。

更新

从您的PowerShell脚本中，我发现您使用以下命令来获取Web应用程序标识ID：

$objectid = [System.Guid]::Parse($webapp.Identity.PrincipalId)

这是不对的。您仅可以获得对象的结果，而不仅仅是ID。像这样：

两种获取ID的方法。

一个：$webapp.Identity.PrincipalId

两个：$objectid.Guid

我建议采用第一种方法，然后可以删除命令$objectid = [System.Guid]::Parse($webapp.Identity.PrincipalId)。

通过您的评论，启用Web应用程序托管身份的操作将需要一段时间才能生效。与使用while循环相比，在创建角色分配之前最好先睡一会儿。不久，只要睡30秒就足够了。

实施重试逻辑后，显示角色分配已存在错误

2 个答案: