ARM的部署:模板资源'sql的授权失败 [英] Deployment of ARM: Authorization failed for template resource 'sql

问题描述

我尝试将SQL Server逻辑服务器与PS和ARM配合使用.我可以在具有贡献者权限的门户上成功创建逻辑服务器，但是无法弄清楚这里出了什么问题.

I try to deply SQL Server Logical server with PS and ARM. I can succesfully create logical server at portal with contributor rights, but cannot figure out what is wrong here.

我在Windows上具有PowerShell ISE.

I have here PowerShell ISE on Windows.

ARM模板是从 https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-logical-server/

//CODE
Connect-AzAccount -Credential $Credential -Tenant $tenant -Subscription $subscription

#ARM Deployment
$templateFile = "C:\Azure\SQLServer\azuredeploy.json"

New-AzResourceGroupDeployment `
  -Name SQLDeployment `
  -ResourceGroupName my-rg `
  -TemplateFile $templateFile 

错误: New-AzResourceGroupDeployment:17.35.18-错误:Code = InvalidTemplateDeployment;消息= 模板部署失败，并显示以下错误:模板资源的授权失败" sql vasvtmcp42o3wko/Microsoft.Authorization/11fd61df-2336-5b96-9b45-ffc7160df111'类型 "Microsoft.Storage/storageAccounts/providers/roleAssignments".客户'john.smith@mycompany. 对象ID为'1115f3de-834b-4d28-a48f-ecaad01e3111'的com没有权限在范围'/subscriptions/1111111上执行操作'Microsoft.Authorization/roleAssignments/write' 11111111111111/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/sqlvasvtmcp42o3wko/providers/Microsoft.Authorization/roleAssignments/11111df -2336-5b96-9b45-ffc7160df168'.".

ERROR: New-AzResourceGroupDeployment : 17.35.18 - Error: Code=InvalidTemplateDeployment; Message=The template deployment failed with error: 'Authorization failed for template resource 'sql vasvtmcp42o3wko/Microsoft.Authorization/11fd61df-2336-5b96-9b45-ffc7160df111' of type 'Microsoft.Storage/storageAccounts/providers/roleAssignments'. The client 'john.smith@mycompany. com' with object id '1115f3de-834b-4d28-a48f-ecaad01e3111' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/1111111 11111111111111/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/sqlvasvtmcp42o3wko/providers/Microsoft.Authorization/roleAssignments/11111df -2336-5b96-9b45-ffc7160df168'.'.

推荐答案

我可以在具有贡献者权限的门户上成功创建逻辑服务器，但是无法弄清楚这里出了什么问题.

I can succesfully create logical server at portal with contributor rights, but cannot figure out what is wrong here.

因为您使用的模板将为您启用Advanced data security，这将为sql服务器创建一个存储帐户和服务主体，然后将服务主体作为Storage Blob Data Contributor角色自动分配给该存储帐户.

Because the template you used will enable the Advanced data security for you, this will create a storage account and service principal for your sql server, then assign the service principal to the storage account as a Storage Blob Data Contributor role automatically.

要执行此操作，您的用户帐户必须是资源组或订阅中的Owner或User Access Administrator.或者，您也可以创建自定义角色在其actions中具有Microsoft.Authorization/roleAssignments/write的角色，那么该角色也将能够做到这一点.

To do this operation, your user account need to be the Owner or User Access Administrator in the resource group or subscription. Or you can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, then the role will also be able to do that.

因此，总而言之，您有两种方法可以解决此问题.

So in conclusion, you have two options to fix the issue.

1.导航到门户中的资源组或订阅-> Access control (IAM)-> Add->将您的用户帐户添加为上述角色，例如Owner，那么它将正常工作.查看详细信息

1.Navigate to the Resource group or Subscription in the portal -> Access control (IAM) -> Add -> add your user account as a role mentioned above e.g. Owner, then it will work fine. See details here.

2.部署模板时，在azuredeploy.parameters.json文件中用false指定enableADS.然后它将不会为您启用Advanced data security，您将能够通过模板使用Contributor创建sql服务器.

2.When you deploy the template, specify the enableADS with false in the azuredeploy.parameters.json file. Then it will not enable the Advanced data security for you, and you will be able to create the sql server with the Contributor via the template.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "serverName": {
            "value": "GEN-UNIQUE"
        },
        "administratorLogin": {
            "value": "GEN-UNIQUE"
        },
        "administratorLoginPassword": {
            "value": "GEN-PASSWORD"
        },
        "enableADS": {
            "value": "false"
        }
    }
}

这篇关于ARM的部署:模板资源'sql的授权失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！