azure - 在 Azure 中创建新角色分配时出错

标签 azure azure-powershell azure-resource-manager

对于给定的 Azure 订阅,我想将自定义角色分配给服务主体。为了实现此目的,我首先检查订阅中是否存在自定义角色定义。如果该角色不存在,我会更新角色定义的可分配范围以包含此订阅。当我尝试分配角色时,我间歇性地遇到“RoleDefinitionDoesNotExist”错误。我该如何解决这个问题?

我的代码:

$roleDef = Get-AzureRmRoleDefinition -Name $azureRmRole
if($roleDef -eq $null)
{
    Select-AzureRmSubscription -SubscriptionName $prodSubscription
    #Role definition exists in $prodSubscription
    $newRole = Get-AzureRmRoleDefinition -Name $azureRmRole
    #$scope = '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
    $newRole.AssignableScopes.Add($scope)
    $def = Set-AzureRmRoleDefinition -Role $newRole
    # I have verified that role definition is updated
}

Select-AzureRmSubscription -SubscriptionName $SubscriptionName
New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId $SPNid -Scope $scope

错误:

New-AzureRmRoleAssignment : The specified role definition with ID 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' does not exist. At C:\Untitled1.ps1:71 char:1 + New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

最佳答案

您应该如下定义自定义角色:

{
  "Name": "Virtual Machine Power Manager",
  "IsCustom": true,
  "Description": "Can monitor, stop, start and restart v2 ARM virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/powerOff/action",    
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [

  ],
  "AssignableScopes": [
    "/subscriptions/c25b1c8e-xxxx-1111-abcd-1a12d7012123"
  ]
}

根据您的描述,您的角色定义可能有误,您最好检查一下。

如果您想为服务主体授予自定义角色,请尝试使用以下 cmdlet。

New-AzureRmRoleAssignment -ServicePrincipalName "https://shuiweb.azurewebsites.net" `
                          -RoleDefinitionName 'Virtual Machine Power Manager' `
                          -Scope '/subscriptions/*******'

enter image description here

blog:AZURE AUTOMATION RUNBOOKS WITH AZURE AD SERVICE PRINCIPALS AND CUSTOM RBAC ROLES会有帮助的。

关于azure - 在 Azure 中创建新角色分配时出错,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46241208/

上一篇:reactjs - Fetch API 无法加载 https ://login. live.com/oauth20_authorize.srf?client_id=...

下一篇:windows - Azure 站点恢复无法安装在独立 Windows Server 2016 Core 上 - C++ 模块无法加载

相关文章:

powershell - 自动登录Azure powershell

java - OkHttpAsyncHttpClient 抛出 IOException : closed downloading blob from Azure container

azure - 使用 Azure 预定电子邮件

Azure Luis 限制最大意图?

azure - PowerShell::Microsoft.Azure.Commands.Sql.Database.Model.AzureSqlDatabaseModel.DatabaseName

Azure 搜索、listAdminKeys、ARM 输出错误(不支持 http 方法 'POST' )

azure - 使用私有(private)存储帐户创建 SQL Server 漏洞评估资源失败

powershell - 新-AzureRmResourceGroup : 'this.Client.SubscriptionId' cannot be null

json - 如何检查名称是否已经存在? Azure 资源管理器模板

azure - 从 git 存储库运行 Azure VM 扩展 Powershell 脚本

©2024 IT工具网  联系我们