我可以通过ARM模板应用权限吗? [英] Can I apply permissions through an ARM template?

问题描述

在Azure中，如果我想通过RBAC授予对资源组的读取访问权限，我可以通过ARM模板来做到这一点吗?我知道可以通过VSTS构建步骤或PS脚本来实现，但是有没有办法通过ARM模板授予权限?

In Azure, if I want to give read-access for a resource group through RBAC, can I do that through an ARM template? I know it's possible through a VSTS build step or a PS script, but is there any way to give permissions through ARM templates?

推荐答案

否，这是不可能的，因为要应用权限的REST调用是这样的:

No, this is not posible due to the fact that REST call to apply permissions is something like this:

/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/xxx

您还不能使用ARM模板复制订阅级别"的剩余调用.

You cannot replicate subscription "level" rest calls with an ARM template yet.

欢迎，与我所知道的一切相反，这有效:

Welp, contrary to everything I know, this works:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "8446a13c-6886-46e2-a17f-9df73adb334e",
            "apiVersion": "2017-10-01-preview",
            "location": "[resourceGroup().location]",
            "properties": {
                "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
                "principalId": "user_guid_goes_here",
                "scope": "[resourceGroup().Id]"
            }
        }
    ]
}

这会将贡献者角色分配给用户，并向您在其中部署模板的资源组提供guid(principalId).分配其他角色将获得其guid并替换贡献者guid(b24988ac-6180-42a0-ab88-20f7382dd24c-知名guid).您还可以为特定资源分配权限.使用scope进行操作(将其更改为resourceId). Name必须是新的向导.

This assigns contributor role to the user with provided guid (principalId) to the resource group where you deploy the template. to assign other role get its guid and replace the contributor guid (b24988ac-6180-42a0-ab88-20f7382dd24c - well known guid). You can also assign permissions to specific resource. Use scope to do that (change it to resourceId). Name has to be a new guid.

我不知道为什么会这样，当我找出原因的时候我会尽快回复你.

I have no idea why this works, i will get back to you when i find out why it works.

这篇关于我可以通过ARM模板应用权限吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！