我一直在尝试更新在 Azure 上创建资源堆栈的 ARM 模板。
我正在尝试将功能作为读取器和数据访问分配添加到存储帐户。只添加一个就可以了,尽管即使这样也需要一段时间才能让它工作。当我尝试添加多个我的模板时甚至不会验证,因为这个错误:
"code":"InvalidTemplate","message":"Deployment template validation failed: 'The resource 'Microsoft.Storage/storageAccounts/strgegitestv2qaeu/providers/Microsoft.Authorization/roleAssignments/3273386b-cde7-5e43-a242-a64d4ed23bee' at line '208' and column '9' is defined multiple times in a template. Please see https://aka.ms/arm-template/#resources for usage details.'.","additionalInfo":[{"type":"TemplateViolation","info":{"lineNumber":208,"linePosition":9,"path":"properties.template.resources[1]"}}]}
现在我相信我明白为什么会这样了,我基本上多次调用相同的 roleAssignment,而我认为我应该做的是为每个函数服务标识创建一个 GUID 并调用它们。问题是我不确定如何确切地做到这一点,无法在文档或在线任何地方找到足够的信息。这是我的 ARM 模板的片段:
"variables": {
"storageAccountName": "[concat('strg', variables('commonId'))]",
"readeranddataaccess": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]",
"servicekeyoperatorrole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]",
"TestVariable": "[concat(variables('storageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
}
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[variables('storageAccountName')]",
"location": "[variables('location')]",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": true,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
},"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[variables('storageAccountName')]",
"location": "[variables('location')]",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": true,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functioName1')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName2')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName3')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName4')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
If that is indeed the issue how can I create a GUID for each of the SystemManaged Identities of my Functions and call them to the "name" of my RoleAssignments?
答案 0 :(得分:0)
您的 roleAssignment 的名称在租户中必须是唯一的 - 基于委托人、角色和分配范围。在您的情况下,您可以执行以下操作:
guid(resourceId('Microsoft.Web/sites', variables('functionName1')), resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), variables('readanddataaccess'))
请注意,variables('functionName1') 将匹配主体 - 因此 functionName1、functionName2、... 根据每个 roleAssignment 的需要。
有帮助吗?
好的,试试这个(这是相对较新的,旨在简化分割问题):
"variables": {
"raNameFunctionApp1": "[guid(resourceId('Microsoft.Web/sites', variables('functionName1')), resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), variables('readanddataaccess'))]"
},
...
{
"scope": "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('raNameFunctionApp1'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName1')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},