如何在 Azure 资源管理器部署模板中为网站创建角色分配?
How do I create a role assignment for a website in an Azure resource manager deployment template?
我尝试了使用嵌套资源的显而易见的方法:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
}
}
]
}
]
}
但这没有用 - 它创建了角色分配,但在资源组级别而不是在网站级别。 (这是一个错误吗?)
如果我尝试明确指定范围:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
"scope": "[resourceId('Microsoft.Web/sites/', 'testapp'))]"
}
}
]
}
]
}
失败,表示范围 ID 必须与资源的 URI 匹配。
我还尝试了一些使用非嵌套资源的选项,但 none 中的任何一个都会通过。此功能是否不受支持,或者我是否缺少一些有效的语法?
在这里找到答案:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/
范围标签不适用于单个角色分配。
'name' 标签似乎在做范围界定。
"parameters": {
"roleAssignmentsGuidFunctionsReader": {
"type": "string",
"defaultValue": "[newGuid()]"
},
"roleAssignmentsGuidFunctionsContributor": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"variables": {
"uniqueId": "[substring(uniqueString(resourceGroup().id),9,4)]",
"functionsName": "[concat('MyfuncApp','Functions',variables('uniqueId') )]",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Web/sites/providers/roleAssignments",
"name": "[concat(variables('functionsName'), '/Microsoft.Authorization/', parameters('roleAssignmentsGuidFunctionsContributor'))]",
"properties": {
"roleDefinitionId": "[variables('contributorRole')]",
"principalId": "[ reference( resourceId('Microsoft.Web/sites', variables('functionsName') ), '2018-11-01', 'Full').identity.principalId]" //,
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionsName'))]"
]
}
]
我尝试了使用嵌套资源的显而易见的方法:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
}
}
]
}
]
}
但这没有用 - 它创建了角色分配,但在资源组级别而不是在网站级别。 (这是一个错误吗?)
如果我尝试明确指定范围:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "testapp",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
"apiVersion": "2015-07-01",
"name": "<guid>",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', 'testapp')]"
],
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "<guid>",
"scope": "[resourceId('Microsoft.Web/sites/', 'testapp'))]"
}
}
]
}
]
}
失败,表示范围 ID 必须与资源的 URI 匹配。
我还尝试了一些使用非嵌套资源的选项,但 none 中的任何一个都会通过。此功能是否不受支持,或者我是否缺少一些有效的语法?
在这里找到答案:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/
范围标签不适用于单个角色分配。 'name' 标签似乎在做范围界定。
"parameters": {
"roleAssignmentsGuidFunctionsReader": {
"type": "string",
"defaultValue": "[newGuid()]"
},
"roleAssignmentsGuidFunctionsContributor": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"variables": {
"uniqueId": "[substring(uniqueString(resourceGroup().id),9,4)]",
"functionsName": "[concat('MyfuncApp','Functions',variables('uniqueId') )]",
"readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Web/sites/providers/roleAssignments",
"name": "[concat(variables('functionsName'), '/Microsoft.Authorization/', parameters('roleAssignmentsGuidFunctionsContributor'))]",
"properties": {
"roleDefinitionId": "[variables('contributorRole')]",
"principalId": "[ reference( resourceId('Microsoft.Web/sites', variables('functionsName') ), '2018-11-01', 'Full').identity.principalId]" //,
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionsName'))]"
]
}
]