使用 ARM 在两个不同的资源组之间添加角色分配
问题描述 投票:0回答:1
“资源组 1”具有用户分配的托管身份和活动存储帐户。 “资源组 2”具有被动存储帐户。现在,当前的 ARM 模板具有用户管理身份和主动存储帐户的定义,并且在嵌套部署中,它具有部署在“资源组 2”中的被动存储帐户的定义。 现在我想在用户分配的托管标识和存储帐户之间添加角色分配。同一资源组中的用户分配托管标识和活动存储帐户之间的角色分配部署正常。但我无法在资源组 1 中的用户分配托管标识和资源组 2 中的被动存储帐户之间部署角色分配。
我尝试在定义了被动存储帐户的嵌套部署中添加跨资源组角色分配,但收到模板验证错误,提示模板中未定义被动存储帐户。
ARM 模板
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[variables('activeStorageName')]",
"location": "[parameters('storageLocation')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"defaultToOAuthAuthentication": false,
"allowCrossTenantReplication": false,
"minimumTlsVersion": "TLS1_0",
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"accessTier": "Hot"
}
},
{
"condition": "[parameters('shouldDeployPassiveStorage')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "PassiveStorageDeployment",
"resourceGroup": "[variables('PassiveResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[variables('passiveStorageName')]",
"location": "[parameters('passiveRegion')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"defaultToOAuthAuthentication": false,
"allowCrossTenantReplication": false,
"minimumTlsVersion": "TLS1_0",
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"accessTier": "Hot"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(concat(subscription().id, variables('passiveStorageName'), parameters('managedIdentityName'), 'Storage Blob Data Contributor'))]",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', variables('passiveStorageName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('passiveStorageName'))]"
],
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "[reference(resourceId(variables('activeResourceGroupName'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))).principalId]"
}
}
]
}
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[parameters('managedIdentityName')]",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(concat(subscription().id, variables('activeStorageName'), parameters('managedIdentityName'), 'Storage Blob Data Contributor'))]",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', variables('activeStorageName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('activeStorageName'))]"
],
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "[reference(resourceId(variables('activeResourceGroupName'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))).principalId]"
}
}
]
以下是我在部署时收到的错误消息
Code: InvalidTemplate
Message: Deployment template validation failed: 'The resource 'Microsoft.Storage/storageAccounts/passiveStorageName' is not defined in the template
1个回答
0
投票
投票
使用 ARM 在两个不同的资源组之间添加角色分配
主要问题似乎在于我们尝试使用使用托管身份的相同 RG 进行部署的方式,以及我们将托管身份嵌套在变量中的方式
即使托管身份来自直接 RG,我们也可以直接引用它,如下面的配置中所述。
ARM配置:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdentityName": {
"type": "string",
"defaultValue": "testvksb"
}
},
"variables": {
"passiveResourceGroupName": "vksb-rg2",
"passiveStorageName": "passivestoragevkk",
"userAssignedIdentityApiVersion": "2018-11-30"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(concat(subscription().id, 'passivestoragevkk', 'testvksb', 'Storage Blob Data Owner'))]",
"scope": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Storage/storageAccounts/{2}', subscription().subscriptionId, variables('passiveResourceGroupName'), variables('passiveStorageName'))]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]",
"principalId": "[reference(resourceId('vksb-rg1', 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), variables('userAssignedIdentityApiVersion')).principalId]"
}
}
]
}
部署:
参考:
Azure ARM 角色分配不同的资源组 - Stack Overflow,作者:4c74356b41
使用 Azure 资源管理器模板分配 Azure 角色 - Azure RBAC |微软学习
使用 ARM 将角色分配添加到两个不同的资源组:ResourceGroup1 中的活动存储帐户与 ResourceGroup2 中的活动存储帐户
最新问题
- 为 getchar() 添加超时
- 如何使用 nginx 和 Gunicorn 使我的 python-flask 网站 24*7 可用
- 如何使用Curl同时发布文件和JSON数据?
- 按 BasicTextField 的 imeAction 后,不会调用 onKeyboardAction
- 在SQL Server中根据轮班计算出勤总工作时间
- 如何检查动态属性是否存在
- Golang 有 libfaketime 替代品吗?
- ETCD 将数据认证给 Prometheus
- 无现金与反应原生集成
- 如何在同一域中的 Angular 应用程序之间安全地共享访问令牌?
- libfaketime 不适用于 golang
- 将光标焦点更改为子文件控制选项而不是子文件数据选项,同时还使用 RCDNBR
- 当一个线程中引发异常时,如何在 Delphi 中停止其他线程的执行
- 与三元表达式连接的字符串会产生意外的计算和错误
- `adb`无法检测到 Oppo F5
- 通过读取单元格中的值在工作簿之间复制粘贴
- 使用背景图像时图像边缘清晰:url()
- 选项卡小部件箭头似乎没有任何原因被禁用
- 三元运算符使 html 结束标签不可见[重复]
- 你能在flutter中开发一个家长控制应用程序吗?
© www.soinside.com 2019 - 2024. All rights reserved.