'Microsoft.Authorization/roleAssignments' 从不同资源组引用存储帐户的范围
'Microsoft.Authorization/roleAssignments' scope to refer Storage Account from different resource group
我正在使用 Azure ARM 模板创建 Azure SQL 服务器。 'auditingSettings' 配置需要 SQL 服务器对 Azure 存储帐户(不同资源组)的身份的许可。我正在使用下面的示例代码来授予权限。但是模板部署失败,说明在部署SQLServer的地方没有找到Storage账号,是的。
那么,如何 LINK(引用)'Microsoft.Authorization/roleAssignments'
范围下不同资源组中的存储帐户
模板截图:
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('roleNameGuid')]",
**"scope": "[concat('Microsoft.Storage/storageAccounts', '/', variables('storageName'))]",**
"dependsOn": [
"[variables('storageName')]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
错误:
New-AzResourceGroupDeployment : 5:14:22 PM - Resource Microsoft.Authorization/roleAssignments 'cca0ed12-d67c-58cd-a569-e265bc2d5806' failed with message '{
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Storage/storageAccounts/commonsdev' under resource group 'apis-dev' was not found. For more details please go to
https://aka.ms/ARMResourceNotFoundFix"
}
}'
At line:1 char:1
+ New-AzResourceGroupDeployment `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzResourceGroupDeployment : 5:20:00 PM - Resource Microsoft.Sql/servers/auditingSettings 'apis-sqlserver-dev/Default' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "BlobAuditingInsufficientStorageAccountPermissions",
"message": "Insufficient read or write permissions on storage account 'commonsdev'. Add permissions to the server Identity to the storage account."
}
]
要在模板中执行角色分配,角色分配的范围必须等于或低于模板部署的范围。所以基本上,如果您想接触不同资源组中的资源,您需要部署模板来执行这些资源组。
如果模板的“主要”目的是 SQL,然后您想将角色分配为不同资源组中的存储范围 - 您需要将部署嵌套到该资源组,例如
{
"apiVersion": "2020-10-01",
"name": "assignRole",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('rgName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"scope": "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"name": "[guid(parameters('roleNameGuid'))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-05-01",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
}
}
注意事项:
- Microsoft 上的资源组 属性。Resources/deployments 资源
- 角色分配(您拥有)的范围属性
- 您必须有权在该范围内分配角色 - 上面的第二条错误消息表明您没有(这当然是一个单独的问题
旁注,我没有“修复”你的代码,下面只是一个工作示例
有帮助吗?
我正在使用 Azure ARM 模板创建 Azure SQL 服务器。 'auditingSettings' 配置需要 SQL 服务器对 Azure 存储帐户(不同资源组)的身份的许可。我正在使用下面的示例代码来授予权限。但是模板部署失败,说明在部署SQLServer的地方没有找到Storage账号,是的。
那么,如何 LINK(引用)'Microsoft.Authorization/roleAssignments'
范围下不同资源组中的存储帐户模板截图:
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('roleNameGuid')]",
**"scope": "[concat('Microsoft.Storage/storageAccounts', '/', variables('storageName'))]",**
"dependsOn": [
"[variables('storageName')]"
],
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
错误:
New-AzResourceGroupDeployment : 5:14:22 PM - Resource Microsoft.Authorization/roleAssignments 'cca0ed12-d67c-58cd-a569-e265bc2d5806' failed with message '{
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Storage/storageAccounts/commonsdev' under resource group 'apis-dev' was not found. For more details please go to
https://aka.ms/ARMResourceNotFoundFix"
}
}'
At line:1 char:1
+ New-AzResourceGroupDeployment `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzResourceGroupDeployment : 5:20:00 PM - Resource Microsoft.Sql/servers/auditingSettings 'apis-sqlserver-dev/Default' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "BlobAuditingInsufficientStorageAccountPermissions",
"message": "Insufficient read or write permissions on storage account 'commonsdev'. Add permissions to the server Identity to the storage account."
}
]
要在模板中执行角色分配,角色分配的范围必须等于或低于模板部署的范围。所以基本上,如果您想接触不同资源组中的资源,您需要部署模板来执行这些资源组。
如果模板的“主要”目的是 SQL,然后您想将角色分配为不同资源组中的存储范围 - 您需要将部署嵌套到该资源组,例如
{
"apiVersion": "2020-10-01",
"name": "assignRole",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('rgName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"scope": "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"name": "[guid(parameters('roleNameGuid'))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-05-01",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
}
}
注意事项:
- Microsoft 上的资源组 属性。Resources/deployments 资源
- 角色分配(您拥有)的范围属性
- 您必须有权在该范围内分配角色 - 上面的第二条错误消息表明您没有(这当然是一个单独的问题
旁注,我没有“修复”你的代码,下面只是一个工作示例
有帮助吗?