我正在尝试将 AD 组作为贡献者分配给我的存储帐户,并且还使用子级别所有者的 Servicie 主体将 AD 组分配给我的存储帐户。
param storageAccountName string
param roleId array
param adGroup string
param principalType string = 'Group'
// reference to storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
name: storageAccountName
}
resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleId in roleId: {
name: guid(subscription().subscriptionId, resourceGroup().name, storageAccountName, roleId, adGroup)
scope: storageAccount
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: adGroup
principalType: principalType
}
}
]
我收到此错误
code":"GroupTypeNotSupported","message":"Only security-enabled groups can be used in role assignments."}
只能分配
Security注意:如果您手动创建了角色分配,则会分配一个随机 GUID,因此在运行您的二头肌文件时,它将尝试创建一个具有不同名称的新角色分配(
guid(subscription().subscriptionId, resourceGroup().name, storageAccountName, roleId, adGroup)