如何使用模板将 msi 范围添加到 azure 中的另一个 RG
How to add msi scope to another RG in azure using templates
我在 'x' RG 中有一个 MSI。我能够将其范围设置为 RG。
问题是-我想将 MSI 范围添加到另一个 RG -“xx”以及使用模板。下面是我的模板片段:
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('msi_name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[guid(resourceGroup().id)]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "resourceGroup().id"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourcegroups/','xx')]"
}
}
每次都出现以下错误 -
/subscriptions//resourceGroups/xx' 必须匹配 URI '/subscriptions//resourcegroups/x' 上指定的范围。”
两个 RG 在同一个订阅中。
您需要将第二个角色分配与部署包装到另一个 rg 中:
{
"type": "Microsoft.Resources/deployments",
"name": "subnet-role-assignment",
"apiVersion": "2017-05-10",
"resourceGroup": "second_rg_name",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"expressionEvaluationOptions": {
"scope": "inner"
},
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(resourceId('first_rg_name', 'Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))).principalId]",
"scope": "[resourceGroup().id]"
}
}
]
}
}
}
我在 'x' RG 中有一个 MSI。我能够将其范围设置为 RG。 问题是-我想将 MSI 范围添加到另一个 RG -“xx”以及使用模板。下面是我的模板片段:
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('msi_name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]",
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[guid(resourceGroup().id)]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "resourceGroup().id"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('msi_name'))).principalId]",
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourcegroups/','xx')]"
}
}
每次都出现以下错误 - /subscriptions//resourceGroups/xx' 必须匹配 URI '/subscriptions//resourcegroups/x' 上指定的范围。” 两个 RG 在同一个订阅中。
您需要将第二个角色分配与部署包装到另一个 rg 中:
{
"type": "Microsoft.Resources/deployments",
"name": "subnet-role-assignment",
"apiVersion": "2017-05-10",
"resourceGroup": "second_rg_name",
"dependsOn": [
"vmsCopy",
"[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))]"
],
"expressionEvaluationOptions": {
"scope": "inner"
},
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-12-01-preview",
"name": "[concat(guid(concat(resourceGroup().id),'_1'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('roleType'))]",
"principalId": "[reference(resourceId('first_rg_name', 'Microsoft.ManagedIdentity/userAssignedIdentities/', variables('msi_name'))).principalId]",
"scope": "[resourceGroup().id]"
}
}
]
}
}
}