通过ARM模板错误进行的RBAC分配带有InvalidCreateRoleAssignmentRequest [英] RBAC assignment via ARM template errors out with InvalidCreateRoleAssignmentRequest
问题描述
下面是我的模板以及一个没有意义的错误,因为 scope
似乎顺序正确,并且允许每个(
此外,如果要在容器级别分配角色,请参见 My template is below along with an error which does not make sense since Error is below If I try to assign a different way like below then different error is being thrown Error
If you want to assign a role to the service principal in the storage account level, try the template as below, it works fine on my side. Besides, if you want to assign the role in the Container level, see this link.
这篇关于通过ARM模板错误进行的RBAC分配带有InvalidCreateRoleAssignmentRequest的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!scope
seems to be in correct order and it's allowed to use this notation per (https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/create) {
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[ guid(resourceGroup().id, 'windowsserverstorage')]",
"dependsOn": ["[variables('storageaccountname')]"],
"properties": {
"roleDefinitionId": "[variables('Contributor')]",
"principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39",
"scope": "/subscriptions/24ba3e4c-45e3-4d55-8132-6731ca25547f/resourceGroups/MyDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd"
}
} ,
Resource Microsoft.Authorization/roleAssignments '1aed14fd-8f7c-5636-989b-7c134b353fcc' failed with message '{
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '1aed14fd-8f7c-5636-989b-7c134b353fcc' is not valid. Role assignment scope
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourceGroups/myDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd' must match the scope specified on the URI
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourcegroups/myDemo'."
}
}'
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat('wkstorage2pzpd/blobServices/default/networkadmins', '/Microsoft.Authorization/', guid(resourceGroup().id, '1231'))]",
"dependsOn": [
"[variables('storageaccountname')]"
],
"properties": {
"roleDefinitionId": "[variables('Contributor')]",
"principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39"
}
},
The template resource
'wkstorage2pzpd/blobServices/default/Microsoft.Authorization/a4b69ebe-d58c-5309-9385-0a2e26d343a3' for type 'Microsoft.Storage/storageAccounts/providers/roleAssignments' at line '179' and column '9' has incorrect segment lengths.
A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage
details.'.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "String",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"type": "String",
"metadata": {
"description": "Built-in role to assign"
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"TestVariable": "[concat('YourStorageAccountName','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[variables('TestVariable')]",
"apiVersion": "2017-05-01",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"apiVersion": "[variables('apiVersion')]",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID",
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataContributor')]",
"principalId": "[parameters('principalId')]"
}
}