VSTS 部署失败 "Authorization failed for ... of type 'Microsoft.Storage/storageAccounts/providers/locks'"
VSTS deployment fails with "Authorization failed for ... of type 'Microsoft.Storage/storageAccounts/providers/locks'"
我正在部署一个带有 VSTS 的 ARM 模板,其中包含一个锁(在我的例子中是锁在函数应用程序的存储帐户上)
{
"parameters": {
"name": {
"type": "string"
},
"storageName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
"apiVersion": "2015-01-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
],
"properties": {
"level": "CannotDelete",
"notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
}
}
]
},...
当使用我的凭据从 VS 或命令行部署时,它工作正常。
但是,从 VSTS 发布定义部署时,部署失败并显示:
Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
"error": {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
}
}
当我从模板中删除 Microsoft.Storage/storageAccounts/providers/locks 部分时,VSTS 部署工作正常。但是这样存储帐户就不会受到阻止删除的锁定。
Contributor 角色 - 当 VSTS 在连接到资源组订阅的 AAD 中创建服务主体时分配 - 不足以放置锁。分配Owner,锁可以与VSTS部署过程一起放置。
我正在部署一个带有 VSTS 的 ARM 模板,其中包含一个锁(在我的例子中是锁在函数应用程序的存储帐户上)
{
"parameters": {
"name": {
"type": "string"
},
"storageName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
"apiVersion": "2015-01-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
],
"properties": {
"level": "CannotDelete",
"notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
}
}
]
},...
当使用我的凭据从 VS 或命令行部署时,它工作正常。 但是,从 VSTS 发布定义部署时,部署失败并显示:
Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
"error": {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
}
}
当我从模板中删除 Microsoft.Storage/storageAccounts/providers/locks 部分时,VSTS 部署工作正常。但是这样存储帐户就不会受到阻止删除的锁定。
Contributor 角色 - 当 VSTS 在连接到资源组订阅的 AAD 中创建服务主体时分配 - 不足以放置锁。分配Owner,锁可以与VSTS部署过程一起放置。