Azure 自动化 - 无法删除 AzResourceLock
Azure Automation - Unable to Remove-AzResourceLock
我在资源组级别删除 Azure 锁时遇到问题。我是从 Azure Runbook 做的。
我的身份验证很好(我能够 获取 任何我想要的详细信息)。这是相关代码:
# Ensures you do not inherit an AzureRMContext in your runbook
Disable-AzContextAutosave –Scope Process
"Logging in to Azure..."
$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
如果我这样做,比如说,Get-AzResource -ResourceGroupName $RG,我就会得到我需要的信息。但是问题是我其实需要删除那个资源组的一些资源,它有锁
当我Remove-AzResourceLock -LockId $getAzureLock.LockId -Force时,我被抛出这个:
Remove-AzResourceLock : AuthorizationFailed : The client XX with object id XX does not have authorization to perform action 'Microsoft.Authorization/locks/delete' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/locks/resourceDellock' or the scope is invalid. If access was recently granted, please refresh your credentials.
仅供参考,我已经编辑了 subscription/object ID 信息。
对于我的生活,我无法绕过它。该应用程序已从访问控制 (IAM) 添加为订阅级别的贡献者。
我试了很多东西,累到写不下去了!对不起。最近 4 个小时我一直在阅读和尝试一些东西。所以请原谅我!
请帮我解决这个问题..
根据 documentation,只有 Owner 和 User Access Administrator 内置角色有删除锁的权限,Contributor 角色没有。
Deletes the management lock of a resource or any level below the
resource. To delete management locks, you must have access to
Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions.
Of the built-in roles, only Owner and User Access Administrator are
granted those actions.
因此您的解决方案是向您的服务主体授予 Owner/User Access Administrator 角色,或者创建自定义角色并授予对 Microsoft.Authorization/* 操作的适当权限。
我在资源组级别删除 Azure 锁时遇到问题。我是从 Azure Runbook 做的。
我的身份验证很好(我能够 获取 任何我想要的详细信息)。这是相关代码:
# Ensures you do not inherit an AzureRMContext in your runbook
Disable-AzContextAutosave –Scope Process
"Logging in to Azure..."
$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
如果我这样做,比如说,Get-AzResource -ResourceGroupName $RG,我就会得到我需要的信息。但是问题是我其实需要删除那个资源组的一些资源,它有锁
当我Remove-AzResourceLock -LockId $getAzureLock.LockId -Force时,我被抛出这个:
Remove-AzResourceLock : AuthorizationFailed : The client XX with object id XX does not have authorization to perform action 'Microsoft.Authorization/locks/delete' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/locks/resourceDellock' or the scope is invalid. If access was recently granted, please refresh your credentials.
仅供参考,我已经编辑了 subscription/object ID 信息。
对于我的生活,我无法绕过它。该应用程序已从访问控制 (IAM) 添加为订阅级别的贡献者。
我试了很多东西,累到写不下去了!对不起。最近 4 个小时我一直在阅读和尝试一些东西。所以请原谅我!
请帮我解决这个问题..
根据 documentation,只有 Owner 和 User Access Administrator 内置角色有删除锁的权限,Contributor 角色没有。
Deletes the management lock of a resource or any level below the resource. To delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
因此您的解决方案是向您的服务主体授予 Owner/User Access Administrator 角色,或者创建自定义角色并授予对 Microsoft.Authorization/* 操作的适当权限。