我在资源组级别删除 Azure 锁时遇到问题。我正在通过 Azure Runbook 执行此操作。
我的身份验证很好(我能够获取我想要的任何内容的详细信息)。这是代码:
# Ensures you do not inherit an AzureRMContext in your runbook
Disable-AzContextAutosave –Scope Process
"Logging in to Azure..."
$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
如果我这样做,比如说 Get-AzResource -ResourceGroupName $RG,我就会得到我需要的信息。但问题是我实际上需要删除该资源组的一些资源,并且它有锁。
当我Remove-AzResourceLock -LockId $getAzureLock.LockId -Force时,我被抛出:
Remove-AzResourceLock : AuthorizationFailed : The client XX with object id XX does not have authorization to perform action 'Microsoft.Authorization/locks/delete' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/locks/resourceDellock' or the scope is invalid. If access was recently granted, please refresh your credentials.
仅供引用,我已经编辑了订阅/对象 ID 信息。
对于我的一生,我无法回避它。该应用程序从访问控制 (IAM) 添加为订阅级别的贡献者。
我尝试了很多事情,实在太累了,无法写下来!对不起。过去 4 个小时我一直在阅读和尝试新的东西。所以请原谅我!
请帮我解决这个问题..
最佳答案
根据 documentation ,只有 Owner 和 User Access Administrator 内置角色有删除锁的权限,而 Contributor 角色没有权限。
Deletes the management lock of a resource or any level below the resource. To delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
因此,您的解决方案是向您的服务主体授予 Owner/User Access Administrator 角色,或者创建自定义角色并授予 Microsoft 的适当权限。授权/* 操作。
关于Azure 自动化 - 无法删除-AzResourceLock,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62641070/