Azure 托管应用程序角色分配

Azure Managed Application role assignment

我需要在应用程序资源组之外授予 Reader 对我的托管应用程序的访问权限。部署应用程序的用户在订阅中 Owner,因此部署应该会通过,但目前失败了,因为资源部署是在 Appliance Resource Provider 而不是用户的身份下进行的。有没有办法使用托管应用程序创建角色分配?

mainTemplate.json 的片段(MSI 创建 + 试图在订阅范围内创建角色分配的嵌套模板):

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {...},
  "variables": {...},
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "name": "[parameters('applicationName')]",
      "apiVersion": "2018-11-30",
      "location": "[parameters('location')]"
    },
...
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2019-10-01",
      "name": "[variables('name')]",
      "subscriptionId": "[subscription().subscriptionId]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('applicationName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "principalId": {
            "value": "[reference(resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('applicationName'))).principalId]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "principalId": {
              "type": "string"
            }
          },
          "variables": {},
          "resources": [
            // Role: Reader
            {
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2018-09-01-preview",
              "name": "[guid(parameters('principalId'), 'Subscription-Reader')]",
              "properties": {
                "principalId": "[parameters('principalId')]",
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
              }
            }
          ]
        }
      }
    }
  ],
}

托管应用程序部署错误:

{
    "status": "Failed",
    "error": {
        "code": "ApplianceDeploymentFailed",
        "message": "The operation to create appliance failed. Please check operations of deployment 'xxx' under resource group '/subscriptions/xxx/resourceGroups/mrg-xxx-20210727122758'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'",
        "details": [
            {
                "code": "BadRequest",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidTemplateDeployment\",\r\n    \"message\": \"The template deployment failed with error: 'Authorization failed for template resource 'f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d' of type 'Microsoft.Authorization/roleAssignments'. The client '8b967430-badb-45ba-8d11-bca192994047' with object id '8b967430-badb-45ba-8d11-bca192994047' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d'.'.\"\r\n  }\r\n}"
            }
        ]
    }
}

Appliance Resource Principal 是为托管应用程序执行部署的资源主体。它仅对托管资源组具有所有者权限,在资源组之外对客户租户没有任何其他权限。

要实现此方案,客户需要首先授予对托管应用程序的访问权限以执行这些角色分配。他们可以通过在托管应用程序上添加一个 msi 并在托管资源组之外授予该 msi 权限来实现这一点。当设备资源主体执行部署时,它将包括托管应用程序上的 msi 在部署期间拥有的任何权限。

有关如何在部署托管应用程序期间包含 msi 的详细信息,请参阅此处: https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#linking-existing-azure-resources