我创建了一个容器应用程序,为其启用了托管身份,现在我尝试将 AcrPull 角色分配给 ACR 以获取托管身份,但在部署过程中出现内部服务器错误。不知道我做错了什么!实际上遵循这个 guide 但只有我之前尝试过并且效果很好的 cli 命令。
这是我尝试分配角色的部分:
resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(containerApp.id, 'AcrPull') // Unique name for the role assignment
scope: acr
properties: {
principalId: containerApp.identity.principalId // Managed identity of the container app
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'AcrPull')
}
}
这是其他资源:
resource acr 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
name: acrName
location: location
sku: {
name: 'Basic'
}
properties: {
dataEndpointEnabled: false
encryption: {
status: 'disabled'
}
adminUserEnabled: true
}
}
resource containerApp 'Microsoft.App/containerApps@2023-08-01-preview' = {
name: containerAppName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
managedEnvironmentId: env.id
configuration: {
ingress: {
external: true
targetPort: 80
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
}
template: {
containers: [
{
name: containerAppName
image: 'mcr.microsoft.com/k8se/quickstart:latest'
resources: {
cpu: json('2.0')
memory: '4Gi'
}
}
]
scale: {
minReplicas: 0
maxReplicas: 1
}
}
}
}
将 AcrPull 角色分配给 Bicep 中 Azure 应用程序容器的 Azure 容器注册表
使用 Bicep 创建角色分配时,请确保将托管身份的 principalType 设置为
ServicePrincipal
。请关注MS DOC了解更多详细信息。
#conainer app mangedidentity principal ID
param principalId string = '4fb6333333-4207-b4f3-a04e9754808c'
resource acr 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
name: 'venkatacrtestdemo'
location: 'eastus'
sku: {
name: 'Basic'
}
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
dependsOn:[
acr
]
name: guid(acr.id, principalId, 'AcrPull')
scope: acr
properties: {
principalId: principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
principalType: 'ServicePrincipal'
}
}
az deployment group create --name "demoRGDeployment" --resource-group "ACR-RG" --template-file ./ACRRole.bicep
执行脚本后,AcrPull角色被分配给容器应用程序的托管标识。
参考:角色分配