使用 ARM 将 Azure RBAC 应用于资源 [英] Apply Azure RBAC to a resource using ARM

问题描述

有没有办法通过 ARM 在资源级别应用 RBAC 规则?我能够遵循this Microsoft guide 在资源组级别添加用户/角色，而不是在资源.特别是，我正在尝试通过 ARM 向 AppInsights 添加一个新的读者角色.但是，当我调整范围时，模板失败并显示此错误:

错误":{代码":InvalidCreateRoleAssignmentRequest"，消息":创建角色分配{guid}"的请求无效.角色分配范围/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}"必须与 URI/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}"上指定的范围匹配."}

如果不能更改范围变量，我想知道它的用途是什么.是否还有其他地方我应该修改范围以使其正常工作?

提前致谢！

解决方案

关键是删除 scope 属性，而是使用 Microsoft 将角色分配嵌套在所需资源下.FooResource/BarSubType/providers/roleAssignments 作为类型，并使用以下格式作为名称:{resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}.请注意，GUID 应该是稳定的，但对于此角色分配来说是唯一的，一个简单的选择是 guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish').>

以下模板向您展示了如何使用在同一模板中定义的用户分配的托管标识将 RBAC 应用于单个资源:

<代码>{"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion": "1.0.0.0",参数": {"storageAccountName": { "type": "string" },userAssignedIdentityName":{类型":字符串"}},变量":{"ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",},资源": [{"type": "Microsoft.ManagedIdentity/userAssignedIdentities","name": "[参数('userAssignedIdentityName')]","location": "[resourceGroup().location]","apiVersion": "2018-11-30"},{"type": "Microsoft.Storage/storageAccounts","name": "[参数('storageAccountName')]","location": "[resourceGroup().location]","apiVersion": "2016-12-01","sku": { "name": "Standard_LRS" },"种类": "存储",资源": [{"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments","apiVersion": "2017-05-01","name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",特性": {"roleDefinitionId": "[变量('ContributorRoleDefinition')]","principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"},取决于": ["[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"]}]}]}

来源:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

Is there a way to apply RBAC rules at the resource level via ARM? I was able to follow this Microsoft guide to add a user/role at the resource group level, but not at the resource. In particular, I am trying to add a new reader role to AppInsights via ARM. However, when I adjust the scope, the template just fails with this error:

"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '{guid}' is not valid. Role assignment scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}' must match the scope specified on the URI  '/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}'."
  }

I am left wondering what the scope variable is for if it cannot be changed. Is there some other place I should be modifying the scope to get this working?

Thanks in advance!

解决方案

The key is to drop the scope property, and instead nest the role assignment under the desired resource by using Microsoft.FooResource/BarSubType/providers/roleAssignments as the type, and using the following format for the name: {resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}. Note that the GUID should be stable but unique to this role assignment, one easy option is guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish').

Here is a template that shows you how to apply RBAC to a single resource, using a user-assigned managed identity defined in the same template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": { 
      "storageAccountName": { "type": "string" },
      "userAssignedIdentityName": { "type": "string" }
  },
  "variables": {
    "ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
  },
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "name": "[parameters('userAssignedIdentityName')]",
      "location": "[resourceGroup().location]",
      "apiVersion": "2018-11-30"
    },
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[parameters('storageAccountName')]",
      "location": "[resourceGroup().location]",
      "apiVersion": "2016-12-01",
      "sku": { "name": "Standard_LRS" },
      "kind": "Storage",
      "resources": [
          {
              "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
              "apiVersion": "2017-05-01",
              "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
              "properties": {
                "roleDefinitionId": "[variables('ContributorRoleDefinition')]",
                "principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"
              },
              "dependsOn": [
                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
                  "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
              ]
         }
      ]
    }
  ]
}

Source: https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

这篇关于使用 ARM 将 Azure RBAC 应用于资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！