如何使用 Azure Python SDK 为存储帐户中的内置角色添加权限?
How to add permission to builtin role in storage account using Azure Python SDK?
我有一个存储帐户,我想授予我在 "Storage Account Key Operator Service Role" 中的一项应用服务的权限。
类似于 Azure 门户中的以下操作。
Any good workarounds are also welcome.
这里有一些适合您的解决方法。
1.Use powershell,参考这个link.
New-AzureRmRoleAssignment -ObjectId <ObjectId> -RoleDefinitionName "Storage Account Key Operator Service Role" -Scope "<your storage account resourceID>"
2.Use Azure CLI,参考这个link.
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id "<object-id>" --scope "<your storage account resourceID>"
3.Use 休息API,参考这个link.
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01
4.Use ARM模板,参考这个link.
在花了这么多时间之后,我能够使用 python 来授权应用程序 service.Here 这是我遵循的方法
您使用的凭据应属于订阅所有者,因为投稿人无权更改访问权限。
这是 python 个需要安装的软件包
azure-mgmt-authorization==0.50.0
azure-graphrbac==0.51.0
这是代码片段
subscription_id = config['SUBSCRIPTION_ID']
credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID']
)
graph_credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID'],
resource="https://graph.windows.net"
)
def get_object_id(full_app_name, resource_name_prefix, resource_type="Microsoft.Web/sites"):
gcli = GraphRbacManagementClient(graph_credentials, config['AZURE_TENANT_ID'])
sp = gcli.service_principals.list(filter="displayName eq '%s'" % full_app_name)
sp = next(sp, False)
if sp:
print("Found Service Principal %s" % sp.display_name)
return sp.object_id
else:
raise Exception("Service Principal not found")
def delete_keylistrole_appservice(resource_group_name, storage_name, role_assignment_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.delete(scope, role_assignment_name)
print("%s App Service access revoked %s Storage account" % (role_assignment_name, storage_name))
def assign_keylistrole_appservice(resource_group_name, storage_name, app_service_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
role_assignment_name = str(uuid.uuid4())
role_id = "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/%s" % (subscription_id, "81a9662b-bebf-436f-a333-f67b29880f12")
principal_id = get_object_id(app_service_name)
props = RoleAssignmentProperties(role_definition_id=role_id, principal_id=principal_id)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.create(scope, role_assignment_name, properties=props)
print("%s App Service authorized to access %s Storage account" % (app_service_name, storage_name))
return role_assignment_name
请注意 graph_credentials 它们与凭据不同,因为它们需要资源="https://graph.windows.net"
我有一个存储帐户,我想授予我在 "Storage Account Key Operator Service Role" 中的一项应用服务的权限。 类似于 Azure 门户中的以下操作。
Any good workarounds are also welcome.
这里有一些适合您的解决方法。
1.Use powershell,参考这个link.
New-AzureRmRoleAssignment -ObjectId <ObjectId> -RoleDefinitionName "Storage Account Key Operator Service Role" -Scope "<your storage account resourceID>"
2.Use Azure CLI,参考这个link.
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id "<object-id>" --scope "<your storage account resourceID>"
3.Use 休息API,参考这个link.
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01
4.Use ARM模板,参考这个link.
在花了这么多时间之后,我能够使用 python 来授权应用程序 service.Here 这是我遵循的方法
您使用的凭据应属于订阅所有者,因为投稿人无权更改访问权限。
这是 python 个需要安装的软件包
azure-mgmt-authorization==0.50.0
azure-graphrbac==0.51.0
这是代码片段
subscription_id = config['SUBSCRIPTION_ID']
credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID']
)
graph_credentials = ServicePrincipalCredentials(
client_id=config['AZURE_CLIENT_ID'],
secret=config['AZURE_CLIENT_SECRET'],
tenant=config['AZURE_TENANT_ID'],
resource="https://graph.windows.net"
)
def get_object_id(full_app_name, resource_name_prefix, resource_type="Microsoft.Web/sites"):
gcli = GraphRbacManagementClient(graph_credentials, config['AZURE_TENANT_ID'])
sp = gcli.service_principals.list(filter="displayName eq '%s'" % full_app_name)
sp = next(sp, False)
if sp:
print("Found Service Principal %s" % sp.display_name)
return sp.object_id
else:
raise Exception("Service Principal not found")
def delete_keylistrole_appservice(resource_group_name, storage_name, role_assignment_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.delete(scope, role_assignment_name)
print("%s App Service access revoked %s Storage account" % (role_assignment_name, storage_name))
def assign_keylistrole_appservice(resource_group_name, storage_name, app_service_name):
resource_provider = "Microsoft.Storage"
resource_type = "storageAccounts"
scope = '/subscriptions/%s/resourceGroups/%s/providers/%s/%s/%s' % (
subscription_id, resource_group_name, resource_provider, resource_type, storage_name)
role_assignment_name = str(uuid.uuid4())
role_id = "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/%s" % (subscription_id, "81a9662b-bebf-436f-a333-f67b29880f12")
principal_id = get_object_id(app_service_name)
props = RoleAssignmentProperties(role_definition_id=role_id, principal_id=principal_id)
auth_cli = AuthorizationManagementClient(credentials, subscription_id, api_version="2015-07-01")
resp = auth_cli.role_assignments.create(scope, role_assignment_name, properties=props)
print("%s App Service authorized to access %s Storage account" % (app_service_name, storage_name))
return role_assignment_name
请注意 graph_credentials 它们与凭据不同,因为它们需要资源="https://graph.windows.net"