azure - VSTS 部署失败，错误为 "Authorization failed for ... of type ' Microsoft.Storage/storageAccounts/providers/locks'"

Question

我正在使用 VSTS 部署 ARM 模板，其中包含一个锁(在我的例子中，锁定了函数应用程序的存储帐户)

{
    "parameters": {
        "name": {
            "type": "string"
        },
        "storageName": {
            "type": "string"
        },
        "location": {
            "type": "string"
        }
    },
    "resources": [
        {
            "apiVersion": "2015-05-01-preview",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageName')]",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "Standard_LRS"
            },
            "resources": [
                {
                    "type": "Microsoft.Storage/storageAccounts/providers/locks",
                    "name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
                    "apiVersion": "2015-01-01",
                    "dependsOn": [
                        "[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
                    ],
                    "properties": {
                        "level": "CannotDelete",
                        "notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
                    }
                }
            ]
        },...

当使用我的凭据从 VS 或命令行进行部署时，效果很好。 但是，当从 VSTS 发布定义进行部署时，部署失败并显示:

Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
  }
}

当我从模板中删除 Microsoft.Storage/storageAccounts/providers/locks 部分时，VSTS 部署可以正常工作。但随后存储帐户将不带有防止删除的锁定。

Answer 1

Contributor 角色(当 VSTS 在连接到资源组订阅的 AAD 中创建服务主体时分配)不足以放置锁定。分配 Owner 并可以在 VSTS 部署过程中放置​​锁。