通过ARM模板将读取者角色分配给存储帐户时出现问题 [英] Getting issues while assigning reader role to storage account via ARM template

问题描述

我遇到以下错误创建角色分配'c ***************** 5'的请求无效.角色分配范围'/subscriptions/c ********************** 5/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccountname'必须与URI上指定的范围匹配.

I am facing following error "The request to create role assignment 'c*****************5' is not valid. Role assignment scope '/subscriptions/c**********************5/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccountname' must match the scope specified on the URI"

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "defaultValue": "My AD app ID",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "defaultValue": "Reader",
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        },
        "roleNameGuid": {
            "type": "string",
            "defaultValue": "random guid (i am getting this guid using following PS command "[System.Guid]::NewGuid().toString()")",
            "metadata": {
                "description": "A new GUID used to identify the role assignment"
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my ownerid')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my contributor id')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my reader id')]",
        "scope": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/', 'this is my storage account name')]"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2014-10-01-preview",
            "name": "[parameters('roleNameGuid')]",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]",
                "scope": "[variables('scope')]"
            }
        }
    ]
}

推荐答案

这是在高于部署范围的范围内分配角色分配的常见问题.在您的情况下，部署是在资源组"级别上，而您正在尝试在订阅"级别(该级别比资源组"更高)上分配作用域.

This is a common problem for assigning a role assignment at a scope higher than the scope of the deployment. In your case the deployment is at the Resource Group level and you are trying to assign the scope at the Subscription level (which is higher level than Resource Group).

解决方案:您将需要使用嵌套模板部署.

Solution: You will need to use Nested Template deployment.

要查看示例，请检查此文档链接并在本文档中搜索在范围内分配角色"部分:

To view a sample, check this documentation link and search for section "Assign Role at Scope" in this documentation: Create resources at Subscription level

这篇关于通过ARM模板将读取者角色分配给存储帐户时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！