在虚拟机的自定义脚本扩展中我想执行这个命令:
#download azcopy from http://aka.ms/downloadazcopy
c:\azcopy login --identity
C:\azcopy copy https://mystorage.blob.core.windows.net/software C:\Temp --recursive
但要使其工作,需要将 VM 的标识添加为“存储 Blob 数据贡献者”。在 terraform 中我们可以这样做
resource"azurerm_role_assignment""role" {
scope= data.azurerm_storage_account.vault.id
role_definition_name="Storage Blob Data Contributor"
principal_id= azurerm_windows_virtual_machine.vm.identity.0.principal_id
}
但是如果我们不使用 terraform 而是使用 Azure DevOps 和 ARM 模板,您将如何执行它?因为尚未创建 VM 以提供身份访问权限。自定义脚本扩展是创建的一部分。
答案 0 :(得分:2)
您可以使用 Azure 资源管理器模板启用系统分配的托管标识。参考 here。
第一步
要启用系统分配的托管标识,请在资源部分中找到感兴趣的 Microsoft.Compute/virtualMachines
资源,并在与 "identity"
属性相同的级别添加 "type": "Microsoft.Compute/virtualMachines"
属性。使用以下语法:
"identity": {
"type": "SystemAssigned"
},
步骤 2
完成后,应将以下部分添加到模板的资源部分,它应类似于以下内容:
"resources": [
{
//other resource provider properties...
"apiVersion": "2018-06-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned",
},
},
//The following appears only if you provisioned the optional VM extension (to be deprecated)
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
"apiVersion": "2018-06-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.ManagedIdentity",
"type": "ManagedIdentityExtensionForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"port": 50342
}
}
}
]
第三步
授予它对创建它的资源组的“存储 Blob 数据贡献者”角色访问权限。
在参数部分下添加以下内容:
"builtInRoleType": {
"type": "string",
"defaultValue": "StorageBlobDataContributor"
},
"rbacGuid": {
"type": "string"
}
在变量部分下添加以下内容:
"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
在资源部分下添加以下内容:
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Authorization/roleAssignments",
"name": "[parameters('rbacGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
"scope": "[resourceGroup().id]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}
授予具有 RBAC 角色的身份以访问特定存储帐户。请参阅this answer。
{
"apiVersion": "2018-01-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/',parameters('rbacGuid'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines',parameters('vmName')), '2017-12-01', 'Full').identity.principalId]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}