Azure 自动化帐户的二头肌模板。 Azure 角色分配到托管标识问题
Bicep Template for Azure Automation Account. Azure Role assignment to Managed Identity problem
我已经创建了一个基本的 Bicep 模板来部署 Azure 自动化帐户。它包含带有 Powershell 脚本和链接计划的 Runbook。到目前为止,一切都很好。问题是将 Azure 角色(所有者、贡献者、Reader)分配给此 AA 的托管标识。我拥有所有需要的值,但不知道如何将它们组合在一起。要通过 Bicep 模板分配 Azure 角色,您应该获得此 AA 的托管身份的 principalId,这非常简单:
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22'
**************************************************************************
output AutAccountPrincipalId string = autaccount.identity.principalId
我的想法是将此输出的值传递给参数或变量,然后在下一个资源块中使用它。原来我不能将输出作为参数传递给下一个资源块。有人可以帮我吗?问题是 - 如何在另一个资源块中使用一个 Bicep 资源块的值?
这是创建自动化帐户的 Bicep 模板:
@description('Specifies the location for all resources.')
param location string = resourceGroup().location
var accountname = 'Snapshot'
var runbookname = 'CreateSnapshot'
var schedulename = 'SnapshotHourly'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
parent: autaccount
name: runbookname
location: location
properties: {
runbookType: 'PowerShell'
logVerbose: false
logProgress: false
logActivityTrace: 0
publishContentLink: {
uri: 'https://raw.githubusercontent.com/................'
}
}
}
resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
parent: autaccount
name: schedulename
properties: {
startTime: '23:30'
expiryTime: ''
interval: 1
frequency: 'Hour'
timeZone: 'Europe/Riga'
}
}
resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
name: guid('xxx05')
parent: autaccount
dependsOn: [
runbook1
]
properties: {
parameters: {}
runbook: {
name: runbookname
}
schedule: {
name: schedulename
}
}
}
output AutAccountPrincipalId string = autaccount.identity.principalId
最后一个将Azure Role实际分配给MI的资源块如下:
@description('The principal to assign the role to')
param principalId string = 'abc897c3-ac9a-42e6-bc3f-xxxxxxxxxxxx'
@description('Built-in role to assign')
@allowed([
'Owner'
'Contributor'
'Reader'
])
//param builtInRoleType string = 'Owner'
@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()
var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
//var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
properties: {
principalId: principalId
roleDefinitionId: Owner
}
}
我从 Portal 手动获取了 principalID 值,但是为了自动化需要它从上面的块、上面的输出或其他方式传递的东西。有人可以帮忙吗?
提前致谢!
更新后的代码是:
@description('Specifies the location for all resources.')
param location string = resourceGroup().location
var accountname = 'SnapshotMgmtv11'
var runbookname = 'Create11'
var schedulename = 'SnapshotHourly11'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
parent: autaccount
name: runbookname
location: location
properties: {
runbookType: 'PowerShell'
logVerbose: false
logProgress: false
logActivityTrace: 0
publishContentLink: {
uri: 'https://raw.githubusercontent.com/..................'
}
}
}
resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
parent: autaccount
name: schedulename
properties: {
startTime: '08:30'
expiryTime: ''
interval: 1
frequency: 'Hour'
timeZone: 'Europe/Riga'
}
}
resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
name: guid('riniv011')
parent: autaccount
dependsOn: [
runbook1
]
properties: {
parameters: {}
runbook: {
name: runbookname
}
schedule: {
name: schedulename
}
}
}
@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()
//var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
dependsOn: [
autaccount
]
properties: {
principalId: autaccount.identity.principalId
roleDefinitionId: Contributor
}
}
如果您正在为资源组范围部署角色分配,那么您可以使用如下内容:
我测试了它仅创建自动化帐户并在资源组中为系统分配的自动化帐户标识分配所有者角色。
param location string = resourceGroup().location
var accountname = 'Snapshot'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
param roleNameGuid string = guid('Owner')
var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
properties: {
principalId: autaccount.identity.principalId
roleDefinitionId: Owner
principalType:'ServicePrincipal'
}
}
输出:
更新:
对于以下错误:
请在角色分配块中添加 principalType:'ServicePrincipal',正如我在上面的代码中更新的那样。
我已经创建了一个基本的 Bicep 模板来部署 Azure 自动化帐户。它包含带有 Powershell 脚本和链接计划的 Runbook。到目前为止,一切都很好。问题是将 Azure 角色(所有者、贡献者、Reader)分配给此 AA 的托管标识。我拥有所有需要的值,但不知道如何将它们组合在一起。要通过 Bicep 模板分配 Azure 角色,您应该获得此 AA 的托管身份的 principalId,这非常简单:
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22'
**************************************************************************
output AutAccountPrincipalId string = autaccount.identity.principalId
我的想法是将此输出的值传递给参数或变量,然后在下一个资源块中使用它。原来我不能将输出作为参数传递给下一个资源块。有人可以帮我吗?问题是 - 如何在另一个资源块中使用一个 Bicep 资源块的值?
这是创建自动化帐户的 Bicep 模板:
@description('Specifies the location for all resources.')
param location string = resourceGroup().location
var accountname = 'Snapshot'
var runbookname = 'CreateSnapshot'
var schedulename = 'SnapshotHourly'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
parent: autaccount
name: runbookname
location: location
properties: {
runbookType: 'PowerShell'
logVerbose: false
logProgress: false
logActivityTrace: 0
publishContentLink: {
uri: 'https://raw.githubusercontent.com/................'
}
}
}
resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
parent: autaccount
name: schedulename
properties: {
startTime: '23:30'
expiryTime: ''
interval: 1
frequency: 'Hour'
timeZone: 'Europe/Riga'
}
}
resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
name: guid('xxx05')
parent: autaccount
dependsOn: [
runbook1
]
properties: {
parameters: {}
runbook: {
name: runbookname
}
schedule: {
name: schedulename
}
}
}
output AutAccountPrincipalId string = autaccount.identity.principalId
最后一个将Azure Role实际分配给MI的资源块如下:
@description('The principal to assign the role to')
param principalId string = 'abc897c3-ac9a-42e6-bc3f-xxxxxxxxxxxx'
@description('Built-in role to assign')
@allowed([
'Owner'
'Contributor'
'Reader'
])
//param builtInRoleType string = 'Owner'
@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()
var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
//var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
properties: {
principalId: principalId
roleDefinitionId: Owner
}
}
我从 Portal 手动获取了 principalID 值,但是为了自动化需要它从上面的块、上面的输出或其他方式传递的东西。有人可以帮忙吗? 提前致谢!
更新后的代码是:
@description('Specifies the location for all resources.')
param location string = resourceGroup().location
var accountname = 'SnapshotMgmtv11'
var runbookname = 'Create11'
var schedulename = 'SnapshotHourly11'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
parent: autaccount
name: runbookname
location: location
properties: {
runbookType: 'PowerShell'
logVerbose: false
logProgress: false
logActivityTrace: 0
publishContentLink: {
uri: 'https://raw.githubusercontent.com/..................'
}
}
}
resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
parent: autaccount
name: schedulename
properties: {
startTime: '08:30'
expiryTime: ''
interval: 1
frequency: 'Hour'
timeZone: 'Europe/Riga'
}
}
resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
name: guid('riniv011')
parent: autaccount
dependsOn: [
runbook1
]
properties: {
parameters: {}
runbook: {
name: runbookname
}
schedule: {
name: schedulename
}
}
}
@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()
//var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
dependsOn: [
autaccount
]
properties: {
principalId: autaccount.identity.principalId
roleDefinitionId: Contributor
}
}
如果您正在为资源组范围部署角色分配,那么您可以使用如下内容:
我测试了它仅创建自动化帐户并在资源组中为系统分配的自动化帐户标识分配所有者角色。
param location string = resourceGroup().location
var accountname = 'Snapshot'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: accountname
location: location
tags: {
test: 'true'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
encryption: {
identity: {
}
keySource: 'Microsoft.Automation'
}
publicNetworkAccess: false
sku: {
capacity: null
family: null
name: 'Basic'
}
}
}
param roleNameGuid string = guid('Owner')
var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: roleNameGuid
properties: {
principalId: autaccount.identity.principalId
roleDefinitionId: Owner
principalType:'ServicePrincipal'
}
}
输出:
更新:
对于以下错误:
请在角色分配块中添加 principalType:'ServicePrincipal',正如我在上面的代码中更新的那样。