VSTS部署失败，并显示“类型为'Microsoft.Storage/storageAccounts/providers/locks'的授权失败". [英] VSTS deployment fails with "Authorization failed for ... of type 'Microsoft.Storage/storageAccounts/providers/locks'"

问题描述

我正在部署带有VSTS的ARM模板，该模板包含一个锁(在我的情况下是功能应用程序的存储帐户上的锁)

I'm deploying an ARM template with VSTS which contains a lock (in my case lock on a Storage Account for a Function App)

{
    "parameters": {
        "name": {
            "type": "string"
        },
        "storageName": {
            "type": "string"
        },
        "location": {
            "type": "string"
        }
    },
    "resources": [
        {
            "apiVersion": "2015-05-01-preview",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageName')]",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "Standard_LRS"
            },
            "resources": [
                {
                    "type": "Microsoft.Storage/storageAccounts/providers/locks",
                    "name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
                    "apiVersion": "2015-01-01",
                    "dependsOn": [
                        "[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
                    ],
                    "properties": {
                        "level": "CannotDelete",
                        "notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
                    }
                }
            ]
        },...

在使用我的凭据从VS或从命令行进行部署时，这种方法工作得很好. 但是，从VSTS版本定义进行部署时，部署失败并显示以下信息:

That just works fine when deploying from VS or from command line with my credentials. However when deploying from a VSTS release definition, the deployment fails with:

Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
  }
}

当我从模板中删除Microsoft.Storage/storageAccounts/providers/locks部分时，VSTS部署会工作.但随后，该存储帐户将没有锁定以防止删除.

When I remove the Microsoft.Storage/storageAccounts/providers/locks section from the template, the VSTS deployment works. But then the storage account would bear no lock preventing a deletion.

推荐答案

Contributor角色-在VSTS在连接到资源组订阅的AAD中创建服务主体时分配，该角色不足以放置锁.分配Owner，然后可以在VSTS部署过程中放置​​锁.

Contributor role - which is assigned when VSTS creates the Service Principal in the AAD connected to the Resource Groups Subscription - is not sufficient for placing the lock. Assign Owner and the lock can be placed with the VSTS deployment process.

这篇关于VSTS部署失败，并显示“类型为'Microsoft.Storage/storageAccounts/providers/locks'的授权失败".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！