通过 ARM 模板将读者角色分配给存储帐户时出现问题 [英] Getting issues while assigning reader role to storage account via ARM template

问题描述

我遇到以下错误创建角色分配'c*****************5'的请求无效.角色分配范围'/subscriptions/c**********************5/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccountname' 必须匹配 URI 上指定的范围"

I am facing following error "The request to create role assignment 'c*****************5' is not valid. Role assignment scope '/subscriptions/c**********************5/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccountname' must match the scope specified on the URI"

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "defaultValue": "My AD app ID",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "defaultValue": "Reader",
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        },
        "roleNameGuid": {
            "type": "string",
            "defaultValue": "random guid (i am getting this guid using following PS command "[System.Guid]::NewGuid().toString()")",
            "metadata": {
                "description": "A new GUID used to identify the role assignment"
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my ownerid')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my contributor id')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'this is my reader id')]",
        "scope": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/', 'this is my storage account name')]"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2014-10-01-preview",
            "name": "[parameters('roleNameGuid')]",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]",
                "scope": "[variables('scope')]"
            }
        }
    ]
}

推荐答案

这是在高于部署范围的范围内分配角色的常见问题.在您的情况下，部署是在资源组级别，而您正尝试在订阅级别(比资源组更高的级别)分配范围.

This is a common problem for assigning a role assignment at a scope higher than the scope of the deployment. In your case the deployment is at the Resource Group level and you are trying to assign the scope at the Subscription level (which is higher level than Resource Group).

解决方案:您将需要使用嵌套模板部署.

Solution: You will need to use Nested Template deployment.

要查看示例，请查看此文档链接并在此文档中搜索在范围内分配角色"部分:在订阅级别创建资源

To view a sample, check this documentation link and search for section "Assign Role at Scope" in this documentation: Create resources at Subscription level

这篇关于通过 ARM 模板将读者角色分配给存储帐户时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！