我有以下 ARM 模板,它将在 ResourceGroupA 上运行并对 ResourceGroupB 中存在的资源进行角色分配。我使用的资源是 RG-A 中的托管身份和 RG-B 中的 KeyVault。每当我运行时,我都会在解析所使用的密钥保管库资源时遇到问题。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdentityName": {
"type": "string",
"defaultValue": "mymanagedidentityname"
}
},
"variables": {
"kvResourceGroupName": "ResourceGroupB",
"kvName": "myKv",
"userAssignedIdentityApiVersion": "2018-11-30",
"kvSecretsUserRoleId": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(concat(subscription().id, variables('kvName'), parameters('managedIdentityName'), variables('kvSecretsUserRoleId')))]",
"scope": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.KeyVault/vaults/{2}', subscription().subscriptionId, variables('kvResourceGroupName'), variables('kvName'))]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', variables('kvSecretsUserRoleId'))]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('managedIdentityName')), '2018-11-30').principalId]"
}
}
]
}
我收到的错误消息是“未找到资源组“ResourceGroupA”下的资源“myKv”。有关更多详细信息,请访问https://aka.ms/ARMResourceNotFoundFix。”
感谢任何帮助。谢谢!
在不同资源组上使用 ARM 模板进行角色分配
我确实同意
Thomos
提出的相同观点。
如果您要在不同的资源组中分配角色,并且身份位于另一个资源组中,请确保在 ARM 模板中指定身份的资源组详细信息,并将其部署到 Key Vault 的 资源组
这是用于角色分配的更新的 ARM 代码。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdentityName": {
"type": "string",
"defaultValue": "Venkat-UAM"
},
"managedIdentityResourceGroupName": {
"type": "string",
"defaultValue": "Venkat-RG"
}
},
"variables": {
"kvResourceGroupName": "Key_vault",
"kvName": "Venkt-Vault",
"userAssignedIdentityApiVersion": "2018-11-30",
"kvSecretsUserRoleId": "4633458b-17de-408a-b874-0445c86b69e6"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(concat(subscription().id, variables('kvName'), parameters('managedIdentityName'), variables('kvSecretsUserRoleId')))]",
"scope": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.KeyVault/vaults/{2}', subscription().subscriptionId, variables('kvResourceGroupName'), variables('kvName'))]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', variables('kvSecretsUserRoleId'))]",
"principalId": "[reference(resourceId(parameters('managedIdentityResourceGroupName'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), variables('userAssignedIdentityApiVersion')).principalId]"
}
}
]
}
就我而言,[Venkat-RG] 中的 UAM(身份)和 [Key_vault] 资源组中的 Key Vault。
部署脚本时,请确保将其部署在
Resource Group B
New-AzResourceGroupDeployment -ResourceGroupName "Key_vault" -TemplateFile "roleassignment.json"
输出:
执行脚本后,角色已成功分配到Key Vault。