azure - 有时，ARM 模板在使用用户分配的托管身份时会抛出 PrimaryNotFound 错误

Question

因此，我尝试使用 ARM 模板执行以下操作:

1. 在资源组 my-managed-identity 中创建新的用户分配的托管身份 ( my-rg )
2. 分配my-managed-identity Reader my-rg 的角色
3. 分配角色 Managed Identity Operator发送给 my-aks-sp 中的 AKS 服务主体 ( my-managed-id )

这是我执行此操作的 ARM 模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]"
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]"
            }
        }
    ]
}

奇怪的是，有时这种部署不起作用。我经常会收到错误:

New-AzResourceGroupDeployment : 2:56:07 PM - Resource Microsoft.Authorization/roleAssignments 'd62bb9a1-bf0b-5a92-aca1-74beab087ee9' failed with message '{
  "error": {
    "code": "PrincipalNotFound",
    "message": "Principal fad453d06bd042148411606b74525ed2 does not exist in the directory 936529098-bafa-4c91-b54f-f012cc11eeec."
  }
}

我在这里遗漏了什么吗？

Answer 1

这个documentation from Microsoft解决了我的问题。

这是我的完整模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]",
                        "principalType": "ServicePrincipal" // This solved my issue
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]",
                "scope": "[resourceGroup().id]" //This is what I added to get it to work! 
            }
        }
        ]

}