我需要授予 Reader 在应用程序资源组之外访问我的托管应用程序的权限。部署应用程序的用户在订阅上是 Owner,因此部署应该会通过,但当前失败,因为资源部署是以 Appliance Resource Provider 而不是用户的身份进行的。有没有办法使用托管应用程序创建角色分配?
mainTemplate.json 的片段(MSI 创建 + 尝试在订阅范围内创建角色分配的嵌套模板):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {...},
"variables": {...},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('applicationName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
},
...
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('name')]",
"subscriptionId": "[subscription().subscriptionId]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('applicationName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"principalId": {
"value": "[reference(resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('applicationName'))).principalId]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string"
}
},
"variables": {},
"resources": [
// Role: Reader
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(parameters('principalId'), 'Subscription-Reader')]",
"properties": {
"principalId": "[parameters('principalId')]",
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
}
}
]
}
}
}
],
}
托管应用部署错误:
{
"status": "Failed",
"error": {
"code": "ApplianceDeploymentFailed",
"message": "The operation to create appliance failed. Please check operations of deployment 'xxx' under resource group '/subscriptions/xxx/resourceGroups/mrg-xxx-20210727122758'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"InvalidTemplateDeployment\",\r\n \"message\": \"The template deployment failed with error: 'Authorization failed for template resource 'f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d' of type 'Microsoft.Authorization/roleAssignments'. The client '8b967430-badb-45ba-8d11-bca192994047' with object id '8b967430-badb-45ba-8d11-bca192994047' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d'.'.\"\r\n }\r\n}"
}
]
}
}
答案 0 :(得分:0)
设备资源主体是为托管应用程序进行部署的资源主体。它仅对托管资源组具有所有者权限,在客户租户上的资源组之外没有任何其他权限。
要实现此方案,客户需要首先授予对托管应用程序的访问权限以执行这些角色分配。他们可以通过在托管应用程序上添加 msi 并在托管资源组之外授予该 msi 权限来实现此目的。当设备资源主体执行部署时,它将包括托管应用程序上的 msi 在部署期间拥有的任何权限。
有关如何在托管应用程序部署期间包含 msi 的详细信息,请参阅此处: https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#linking-existing-azure-resources