问题描述
我有一个通过ARM模板定义的服务目录托管应用程序。在模板内部,我创建了一个Linux VM,并运行一个自定义脚本,该脚本从现有的Azure Blob存储中下载所需的文件并启动我的应用。
我想使用RBAC授予对现有Blob存储的访问权限,以便在模板内未指定任何访问密钥或令牌,并且部署受管应用程序的用户无需输入任何密钥或令牌。
因此,我在虚拟机上具有以下角色分配以访问不同的资源组,这是从answer那里汲取灵感的
{
"type": "Microsoft.Resources/deployments","name": "nested-role-assignment","apiVersion": "2017-05-10","resourceGroup": "myResourceGroup","subscriptionId": "[subscription().subscriptionId]","dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',variables('vmName'))]"
],"properties": {
"mode": "Incremental","template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","resources": [
{
"apiVersion": "2018-01-01-preview","type": "Microsoft.Storage/storageAccounts/providers/roleAssignments","name": "[concat('myStorageAccount','/Microsoft.Authorization/',guid(subscription().subscriptionId,'foo'))]","properties": {
"roleDeFinitionId": "[variables('StorageBlobContributor')]","principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines',variables('vmName')),'2019-12-01','Full').identity.principalId]","scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount')]"
}
}
]
}
}
}
当我使用以天蓝色门户网站全局管理员身份登录的CLI部署托管应用程序时,此方法有效。
创建托管应用程序定义并以Azure AD用户身份从Service Catalog部署应用程序时,出现错误-
{
"code": "DeploymentFailed","message": "At least one resource deployment operation Failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details": [
{
"code": "Conflict","message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"ApplianceDeploymentFailed\",\r\n \"message\": \"The operation to create appliance Failed. Please check operations of deployment 'managed-app' under resource group '/subscriptions/<subscr-id>/resourceGroups/<managed-rg>'. Error message: 'At least one resource deployment operation Failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"InvalidTemplateDeployment\\\",\\r\\n \\\"message\\\": \\\"The template deployment Failed with error: 'Authorization Failed for template resource 'myResourceGroup/Microsoft.Authorization/<some-id>' of type 'Microsoft.Storage/storageAccounts/providers/roleAssignments'. The client '<client-id>' with object id '<client-id>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<subscr-id>/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount/providers/Microsoft.Authorization/roleAssignments/<some-id>'.'.\\\"\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"
}
]
}
表示客户端ID无权执行操作“ Microsoft.Authorization / roleAssignments / write”。我找不到此处的client-id代表什么。
为对此进行分类,我为用户分配了“所有者”角色,以便它可以“编写”角色分配,但这没有帮助。收到相同的错误。
Azure AD用户不能在其他资源组中编写角色分配是很有意义的。 在那种情况下,这里正确的解决方案是什么?
总而言之,我如何使用Arm模板授予对Service Catalog应用程序创建的VM的访问权限,以便它可以从现有Blob存储中下载文件(使用RBAC)?
-编辑-
我以前使用的是“系统分配的”身份,但是我需要一个“用户分配的”身份。在此guide之后,我创建了一个用户分配的身份(在门户中),并授予它对我的Blob存储的访问权限。然后,我更新了createUiDeFinition
,以在部署托管应用程序时选择身份。上面提到的错误消失了,但是身份没有分配给新创建的VM。
我尝试通过--
为mainTemplate
中的VM分配身份
"type": "Microsoft.Compute/virtualMachines","apiVersion": "2018-10-01","name": "[variables('vmName')]","location": "[parameters('location')]","dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces',variables('networkInterfaceName'))]"
],"identity": {
"type": "UserAssigned","userAssignedIdentities": {
"[variables('userAssignedIdentity')]": {}
}
},
但是会产生与以前类似的错误-
"The client 'some-id' with object id 'some-id' has permission to perform action 'Microsoft.Compute/virtualMachines/write'
on scope '/subscriptions/subscr-id/resourcegroups/mrg-20200827143250/providers/Microsoft.Compute/virtualMachines/new-vm';
however,it does not have permission to perform action
'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'
on the linked scope(s) '/subscriptions/subscr-id/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-user-identity' or the linked scope(s) are invalid.
我创建的托管应用程序的授权为“所有者”和“托管身份提供者”,并且还以具有“所有者”角色但仍然没有运气的用户身份登录。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)