我想使用 ARM 模板定义服务总线队列的访问控制 (IAM) 规则。我知道如何为 Azure KeyVault 执行此操作,因此我定义了以下模板,该模板创建服务总线命名空间和队列,然后将 Azure 服务总线数据所有者 的角色分配给函数应用:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppPrincipalId": {
"type": "string"
}
},
"variables": {
"serviceBusName": "myServiceBus",
"queueName": "creation-requests",
"serviceBusUserRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]",
"serviceBusRoleAssignmentName": "[concat(variables('serviceBusName'), '/Microsoft.Authorization/', guid(uniqueString(variables('serviceBusName'))))]"
},
"resources": [
{
"name": "[variables('serviceBusName')]",
"type": "Microsoft.ServiceBus/namespaces",
"apiVersion": "2018-01-01-preview",
"location": "canadaeast",
"sku": {
"name": "Basic"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[variables('queueName')]",
"type": "Queues",
"dependsOn": [
"[resourceId('Microsoft.ServiceBus/namespaces', variables('serviceBusName'))]"
],
"properties": {
"lockDuration": "PT5M",
"defaultMessageTimeToLive": "P0Y0M1DT0H0M0S"
}
}]
},
{
"type": "Microsoft.ServiceBus/namespaces/providers/roleAssignments",
"name": "[variables('serviceBusRoleAssignmentName')]",
"apiVersion": "2020-04-01-preview",
"properties": {
"roleDefinitionId": "[variables('serviceBusUserRoleDefinitionId')]",
"principalId": "[parameters('functionAppPrincipalId')]"
}
}
],
"outputs": {
}
}
执行它会导致以下错误:
2020-12-23T17:57:52.3905460Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-12-23T17:57:52.3941413Z ##[error]Details:
2020-12-23T17:57:52.3946096Z ##[error]Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"RoleAssignmentUpdateNotPermitted\",\r\n \"message\": \"Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\"\r\n }\r\n}"
}
]
}
]
}
}
问题
在 ARM 模板中,如何将服务总线角色分配给应用服务?
最佳答案
如果您想在订阅级别将 Azure 服务总线数据所有者 分配给应用服务(根据我的理解,这里指的是 MSI),您可以使用下面的模板,它适用于我。
template1.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"type": "string",
"metadata": {
"description": "Specifies the role definition ID used in the role assignment."
}
},
"principalId": {
"type": "string",
"metadata": {
"description": "Specifies the principal ID assigned to the role."
}
}
},
"variables": {
"roleAssignmentName": "[guid(parameters('principalId'), parameters('roleDefinitionID'), subscription().id)]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"scope": "[subscription().id]"
}
}
]
}
parameters1.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"value": "090c5cfd-751d-490a-894a-3ce6f1109419"
},
"principalId": {
"value": "xxxxxxxxxxxxx"
}
}
}
使用 PowerShell New-AzDeployment 在订阅范围内部署模板。
New-AzDeployment -Location eastus -TemplateFile C:\Users\Administrator\Desktop\template1.json -TemplateParameterFile C:\Users\Administrator\Desktop\parameters1.json
检查门户:
关于azure - 在 ARM 模板中,如何将服务总线角色分配给应用服务?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65438515/