ARM Microsoft.Storage/storageAccounts/providers/roleAssignments RoleAssignmentUpdateNotPermitted错误 [英] ARM Microsoft.Storage/storageAccounts/providers/roleAssignments RoleAssignmentUpdateNotPermitted error

问题描述

我正在将模板部署到执行以下操作的资源组(以及更多操作，但其余部分并不罕见):

I'm deploying a template to a resource group that does the following (and more, but the rest isn't unusual):

• 创建存储帐户
• 创建Linux VM并将其配置为具有MSI主体.
• 将VM的MSI主体赋予贡献者".存储帐户中的角色
  

• Creates a storage account
• Creates a Linux VM and configures it to have an MSI principal.
• Gives the VM's MSI principal the "contributor" role on the storage account
  

让我感到困惑的是如何处理资源名称.当我使用guid(< vm-name>)命名时，只能部署一次.如果通过VM名称和资源组ID进行部署，则可以多次部署.

What confuses me is how the resource name is handled. When I make the name with guid(<vm-name>) I can only deploy once.  I can deploy multiple times if I make it from the VM name and the resource group id.

以下代码段似乎在每次部署时都有效.当我基于虚拟机名称将名称形成为GUID时，我能够部署一次，但是在删除资源组并第二次部署后，它因RoleAssignmentUpdateNotPermitted而失败 (租户ID，应用程序ID，主体ID和范围不允许更新.")我好像删除资源组并没有清理正确的内容.我的工作正常，但我想了解角色分配的位置 认为其范围不在资源组之内.  

The following snippet seems to work every time I deploy it.  When I when I formed the name as a GUID based on the VM name I was able to deploy once, but after deleting the resource group and deploying a second time it failed with RoleAssignmentUpdateNotPermitted ("Tenant ID, application ID, principal ID, and scope are not allowed to be updated.")  I seemed as if deleting the resource group didn't clean the right stuff.  I've got things working, but I'd like to understand where the role assignment lives that its scope is outside the resource group.  

<lines deleted>

"contributorRole":"[[concat('/subscriptions/'，subscription().subscriptionId，' /providers/Microsoft.Authorization/roleDefinitions/'，'b24988ac-6180-42a0-ab88-20f7382dd24c')]，

"contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",

" contributorRoleGuid:" b24988ac-6180-42a0-ab88-20f7382dd24c";，      

"contributorRoleGuid": "b24988ac-6180-42a0-ab88-20f7382dd24c",       

"swarmManagerGuid":"[[guid(concat(resourceGroup().id，variables('swarmManagerVmName')))]]"，             ;

"swarmManagerGuid": "[guid(concat(resourceGroup().id, variables('swarmManagerVmName')))]",       

<行已删除>

<lines deleted>

           名称":"[concat(variables('storageAccountName')，'/Microsoft.Authorization/'，variables('swarmManagerGuid'))]"，
      " apiVersion":"[variables('apiVersionAuthorization')]"，
           类型":"Microsoft.Storage/storageAccounts/providers/roleAssignments"，
" dependsOn":[
                     " [concat('Microsoft.Compute/virtualMachines/'，variables('swarmManagerVmName'))]'
]，

           属性":{
             "roleDefinitionId":"[variables('contributorRole')]"，
  "principalId":"[reference(concat(resourceId('Microsoft.Compute/virtualMachines/'，variables('swarmManagerVmName'))，'/providers/Microsoft.ManagedIdentity/Identities/default')，变量('apiVersionManagedIdentity' )).principalId]，
                    范围":"[resourceId('Microsoft.Storage/storageAccounts'，变量('storageAccountName'))]"
   }
       }，

            "name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/', variables('swarmManagerGuid'))]",
            "apiVersion": "[variables('apiVersionAuthorization')]",
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachines/', variables('swarmManagerVmName'))]"
            ],

            "properties": {
                "roleDefinitionId": "[variables('contributorRole')]",
                "principalId": "[reference(concat(resourceId('Microsoft.Compute/virtualMachines/', variables('swarmManagerVmName')),'/providers/Microsoft.ManagedIdentity/Identities/default'), variables('apiVersionManagedIdentity')).principalId]",
                "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
            }
        },

推荐答案

注意: 角色分配更新是不允许的.确保你通过 每个新角色分配的唯一GUID.

Note: Role Assignment Update are not permitted. Make sure you pass an unique GUID for every new role assignment.

范围是访问权限适用的边界.分配角色时，可以通过定义范围来进一步限制允许的操作.

Contributor - Can create and manage all types of Azure resources but can’t grant access to others.

角色分配或定义应用于的范围，例如，/subscriptions /0b1f6471-1bf0-4dda-aec3-111122223333，/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup， 或/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

有关详细信息，请参阅"RBAC如何工作".

For more details, refer "How RBAC works".

--------------- -------------------------------------------------- ------------------------------

如果此答案有帮助，请单击标记为答案"或向上" -投票".要提供有关您的论坛体验的其他反馈，请单击 span /p>

If this answer was helpful, click "Mark as Answer" or "Up-Vote". To provide additional feedback on your forum experience, click here

这篇关于ARM Microsoft.Storage/storageAccounts/providers/roleAssignments RoleAssignmentUpdateNotPermitted错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！