通过ARM模板错误进行的RBAC分配带有InvalidCreateRoleAssignmentRequest [英] RBAC assignment via ARM template errors out with InvalidCreateRoleAssignmentRequest

问题描述

下面是我的模板以及一个没有意义的错误，因为 scope 似乎顺序正确，并且允许每个(

此外，如果要在容器级别分配角色，请参见

My template is below along with an error which does not make sense since scope seems to be in correct order and it's allowed to use this notation per (https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/create)

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2017-05-01",
        "name": "[ guid(resourceGroup().id, 'windowsserverstorage')]",
        "dependsOn": ["[variables('storageaccountname')]"],
        "properties": {
            "roleDefinitionId": "[variables('Contributor')]",
            "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39",
            "scope": "/subscriptions/24ba3e4c-45e3-4d55-8132-6731ca25547f/resourceGroups/MyDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd"
        }
    }   ,

Error is below

Resource Microsoft.Authorization/roleAssignments '1aed14fd-8f7c-5636-989b-7c134b353fcc' failed with message '{
  "error": {
    "code": "InvalidCreateRoleAssignmentRequest",
    "message": "The request to create role assignment '1aed14fd-8f7c-5636-989b-7c134b353fcc' is not valid. Role assignment scope 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourceGroups/myDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd' must match the scope specified on the URI 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourcegroups/myDemo'."
  }
}'

If I try to assign a different way like below then different error is being thrown

{
        "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
    "apiVersion": "2017-05-01",
    "name": "[concat('wkstorage2pzpd/blobServices/default/networkadmins', '/Microsoft.Authorization/', guid(resourceGroup().id, '1231'))]",
    "dependsOn": [
            "[variables('storageaccountname')]"
    ],
    "properties": {
        "roleDefinitionId": "[variables('Contributor')]",
        "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39"
    }
},

Error

The template resource 
'wkstorage2pzpd/blobServices/default/Microsoft.Authorization/a4b69ebe-d58c-5309-9385-0a2e26d343a3' for type 'Microsoft.Storage/storageAccounts/providers/roleAssignments' at line '179' and column '9' has incorrect segment lengths. 
A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage 
details.'.

解决方案

If you want to assign a role to the service principal in the storage account level, try the template as below, it works fine on my side.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "String",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "TestVariable": "[concat('YourStorageAccountName','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "name": "[variables('TestVariable')]",
            "apiVersion": "2017-05-01",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ]
}

Besides, if you want to assign the role in the Container level, see this link.

{
            "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }

这篇关于通过ARM模板错误进行的RBAC分配带有InvalidCreateRoleAssignmentRequest的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！