无法使用 Azure Bicep 添加 KeyVault 机密范围的角色分配
Cannot add KeyVault Secret-scoped role assignment with Azure Bicep
我正在 dev 资源组中部署一些东西。其中的某些内容依赖于存储在不同资源组 main 中的密钥保管库机密。从 main.bicep 我正在调用 role-assignment-secret.bicep 模块来部署角色分配:
param role string
param assignee string
param vaultName string
param secretName string
resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
name: '${vaultName}/${secretName}'
scope: resourceGroup('main')
}
resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(vaultName, secretName, assignee, role)
properties: {
principalId: assignee
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
}
scope: secret
}
现在 secret 产生一个错误,指出:
A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
然后我重构了模块以包含另一个模块
添加角色-assignment.bicep
param role string
param assignee string
resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(deployment().name, assignee, role)
properties: {
principalId: assignee
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
}
}
然后由 role-assignment-secret.bicep
调用
param role string
param assignee string
param vaultName string
param secretName string
resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
name: '${vaultName}/${secretName}'
scope: resourceGroup('main')
}
module perm 'role-assignment.bicep' = {
name: guid(vaultName, secretName, assignee, role)
scope: secret
params: {
assignee: assignee
role: role
}
}
这会产生以下错误
Scope "resource" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)
基本上 Bicep 是在告诉我,我不能为那个特定的秘密分配角色,对吧?但我需要这样做,我可以通过门户 GUI 轻松地做到这一点。使用资源组作为角色分配的范围太广,会导致授予过多的权限。
哦,好吧,我有一个明显的疏忽。与其在 role-assignment-secret.bicep 模板中显式提供范围 属性,我应该在从 main.bicep 调用模块时从外部注入它。现在工作。抱歉。
我正在 dev 资源组中部署一些东西。其中的某些内容依赖于存储在不同资源组 main 中的密钥保管库机密。从 main.bicep 我正在调用 role-assignment-secret.bicep 模块来部署角色分配:
param role string
param assignee string
param vaultName string
param secretName string
resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
name: '${vaultName}/${secretName}'
scope: resourceGroup('main')
}
resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(vaultName, secretName, assignee, role)
properties: {
principalId: assignee
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
}
scope: secret
}
现在 secret 产生一个错误,指出:
A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
然后我重构了模块以包含另一个模块
添加角色-assignment.bicep
param role string
param assignee string
resource perm 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(deployment().name, assignee, role)
properties: {
principalId: assignee
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
}
}
然后由 role-assignment-secret.bicep
调用param role string
param assignee string
param vaultName string
param secretName string
resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = {
name: '${vaultName}/${secretName}'
scope: resourceGroup('main')
}
module perm 'role-assignment.bicep' = {
name: guid(vaultName, secretName, assignee, role)
scope: secret
params: {
assignee: assignee
role: role
}
}
这会产生以下错误
Scope "resource" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)
基本上 Bicep 是在告诉我,我不能为那个特定的秘密分配角色,对吧?但我需要这样做,我可以通过门户 GUI 轻松地做到这一点。使用资源组作为角色分配的范围太广,会导致授予过多的权限。
哦,好吧,我有一个明显的疏忽。与其在 role-assignment-secret.bicep 模板中显式提供范围 属性,我应该在从 main.bicep 调用模块时从外部注入它。现在工作。抱歉。