Azure ARM 模板,将多个角色分配给自动化帐户中的托管身份
Azure ARM Template, assign multiple roles to managed identity in Automation Account
我尝试构建一个 ARM 模板来创建具有系统托管标识的自动化帐户,并在同一模板中将订阅级别的角色分配添加到该系统托管标识。我使用的代码是:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AutomationAccountName": {
"type": "string",
"metadata": {
"description": "Automation account name"
}
},
"AutomationAccountProductTag": {
"type": "string",
"metadata": {
"description": "Automation account Product tag"
}
},
"AutomationAccountOwnerTag": {
"type": "string",
"metadata": {
"description": "Automation account Owner tag"
}
},
"WindowsRunbookName": {
"type": "string",
"metadata": {
"description": "Runbook name for Windows instances"
}
},
"RolesToAssignForMangedIdentity": {
"type": "array",
"defaultValue": [
{
"name": "StorageQueueDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]"
},
{
"name": "Contributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
{
"name": "StorageBlobDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
{
"name": "VirtualMachineContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]"
}
]
}
},
"variables": {
"WindowsRunbookURL": "https://infraawsssmagentinstall.blob.core.windows.net/awsssmagentfiles/Runbook_install_ssm_windows.ps1",
"LinuxRunbookURL": "",
"RunbookRuntime": "5.1"
},
"resources": [
// create automation account //
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2021-06-22",
"name": "[parameters('AutomationAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Product": "[parameters('AutomationAccountProductTag')]",
"Owner": "[parameters('AutomationAccountOwnerTag')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"sku": {
"name": "Basic"
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "[concat(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name, '_' , guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)) ]",
"copy": {
"name": "RolesCopy",
"count": "[length(parameters('RolesToAssignForMangedIdentity'))]"
},
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "outer"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Automation/automationAccounts/providers/roleAssignments",
"apiVersion": "2021-04-01-preview",
"name": "[concat( parameters('AutomationAccountName'), '/Microsoft.Authorization/', guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name))]",
"properties": {
"roleDefinitionId": "[parameters('RolesToAssignForMangedIdentity')[copyIndex()].role]",
"principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName')), '2021-06-22', 'full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
}
// assigne roles to created managed identity from automation account
],
"outputs": {}
}
它正在添加角色,但仅限于该自动化帐户,如下图所示:
而我需要的是:
我在我的环境中测试了你的代码,它给了我相同的输出如下:
解法:
您必须使用 "type": "Microsoft.Authorization/roleAssignments" 而不是 "type": "Microsoft.Automation/automationAccounts/providers/roleAssignments"。同样在嵌套模板中,您必须添加 "subscriptionId":"yoursubID" & "location": "any location".
完成上述更改后,您的模板将如下所示:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AutomationAccountName": {
"type": "string",
"metadata": {
"description": "Automation account name"
},
"defaultValue": "ansumantestautomation"
},
"AutomationAccountProductTag": {
"type": "string",
"metadata": {
"description": "Automation account Product tag"
},
"defaultValue":"Test"
},
"AutomationAccountOwnerTag": {
"type": "string",
"metadata": {
"description": "Automation account Owner tag"
},
"defaultValue":"Ansuman"
},
"RolesToAssignForMangedIdentity": {
"type": "array",
"defaultValue": [
{
"name": "StorageQueueDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]"
},
{
"name": "Contributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
{
"name": "StorageBlobDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
{
"name": "VirtualMachineContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]"
}
]
}
},
"resources": [
// create automation account //
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2021-06-22",
"name": "[parameters('AutomationAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Product": "[parameters('AutomationAccountProductTag')]",
"Owner": "[parameters('AutomationAccountOwnerTag')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"sku": {
"name": "Basic"
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"subscriptionId":"94xxx4068-xxxx-xxxx-xxxxx-e00a8xxxx59b",
"location": "East US",
"name": "[concat(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name, '_' , guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)) ]",
"copy": {
"name": "RolesCopy",
"count": "[length(parameters('RolesToAssignForMangedIdentity'))]"
},
"dependsOn":[
"[resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "outer"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)]",
"properties": {
"roleDefinitionId": "[parameters('RolesToAssignForMangedIdentity')[copyIndex()].role]",
"principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName')), '2021-06-22', 'full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
}
// assigne roles to created managed identity from automation account
],
"outputs": {}
}
输出:
注意: 使用上述模板时,您必须提供 SubscriptionId 而不是使用 [subscription().id] 否则会在查找订阅时出错。
我尝试构建一个 ARM 模板来创建具有系统托管标识的自动化帐户,并在同一模板中将订阅级别的角色分配添加到该系统托管标识。我使用的代码是:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AutomationAccountName": {
"type": "string",
"metadata": {
"description": "Automation account name"
}
},
"AutomationAccountProductTag": {
"type": "string",
"metadata": {
"description": "Automation account Product tag"
}
},
"AutomationAccountOwnerTag": {
"type": "string",
"metadata": {
"description": "Automation account Owner tag"
}
},
"WindowsRunbookName": {
"type": "string",
"metadata": {
"description": "Runbook name for Windows instances"
}
},
"RolesToAssignForMangedIdentity": {
"type": "array",
"defaultValue": [
{
"name": "StorageQueueDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]"
},
{
"name": "Contributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
{
"name": "StorageBlobDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
{
"name": "VirtualMachineContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]"
}
]
}
},
"variables": {
"WindowsRunbookURL": "https://infraawsssmagentinstall.blob.core.windows.net/awsssmagentfiles/Runbook_install_ssm_windows.ps1",
"LinuxRunbookURL": "",
"RunbookRuntime": "5.1"
},
"resources": [
// create automation account //
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2021-06-22",
"name": "[parameters('AutomationAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Product": "[parameters('AutomationAccountProductTag')]",
"Owner": "[parameters('AutomationAccountOwnerTag')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"sku": {
"name": "Basic"
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "[concat(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name, '_' , guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)) ]",
"copy": {
"name": "RolesCopy",
"count": "[length(parameters('RolesToAssignForMangedIdentity'))]"
},
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "outer"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Automation/automationAccounts/providers/roleAssignments",
"apiVersion": "2021-04-01-preview",
"name": "[concat( parameters('AutomationAccountName'), '/Microsoft.Authorization/', guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name))]",
"properties": {
"roleDefinitionId": "[parameters('RolesToAssignForMangedIdentity')[copyIndex()].role]",
"principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName')), '2021-06-22', 'full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
}
// assigne roles to created managed identity from automation account
],
"outputs": {}
}
它正在添加角色,但仅限于该自动化帐户,如下图所示:
而我需要的是:
我在我的环境中测试了你的代码,它给了我相同的输出如下:
解法:
您必须使用 "type": "Microsoft.Authorization/roleAssignments" 而不是 "type": "Microsoft.Automation/automationAccounts/providers/roleAssignments"。同样在嵌套模板中,您必须添加 "subscriptionId":"yoursubID" & "location": "any location".
完成上述更改后,您的模板将如下所示:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AutomationAccountName": {
"type": "string",
"metadata": {
"description": "Automation account name"
},
"defaultValue": "ansumantestautomation"
},
"AutomationAccountProductTag": {
"type": "string",
"metadata": {
"description": "Automation account Product tag"
},
"defaultValue":"Test"
},
"AutomationAccountOwnerTag": {
"type": "string",
"metadata": {
"description": "Automation account Owner tag"
},
"defaultValue":"Ansuman"
},
"RolesToAssignForMangedIdentity": {
"type": "array",
"defaultValue": [
{
"name": "StorageQueueDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]"
},
{
"name": "Contributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
{
"name": "StorageBlobDataContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
{
"name": "VirtualMachineContributor",
"role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]"
}
]
}
},
"resources": [
// create automation account //
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2021-06-22",
"name": "[parameters('AutomationAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Product": "[parameters('AutomationAccountProductTag')]",
"Owner": "[parameters('AutomationAccountOwnerTag')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"sku": {
"name": "Basic"
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"subscriptionId":"94xxx4068-xxxx-xxxx-xxxxx-e00a8xxxx59b",
"location": "East US",
"name": "[concat(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name, '_' , guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)) ]",
"copy": {
"name": "RolesCopy",
"count": "[length(parameters('RolesToAssignForMangedIdentity'))]"
},
"dependsOn":[
"[resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "outer"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(parameters('RolesToAssignForMangedIdentity')[copyIndex()].name)]",
"properties": {
"roleDefinitionId": "[parameters('RolesToAssignForMangedIdentity')[copyIndex()].role]",
"principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('AutomationAccountName')), '2021-06-22', 'full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
}
// assigne roles to created managed identity from automation account
],
"outputs": {}
}
输出:
注意: 使用上述模板时,您必须提供 SubscriptionId 而不是使用 [subscription().id] 否则会在查找订阅时出错。