azure - 在 ARM 模板中,如何将服务总线角色分配给应用服务?
问题描述
我想使用 ARM 模板为服务总线队列定义访问控制 (IAM) 规则。我知道如何为 Azure KeyVault 执行此操作,因此我定义了以下模板,该模板创建服务总线命名空间以及队列,然后将角色分配给Azure Service Bus Data Owner
函数应用:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppPrincipalId": {
"type": "string"
}
},
"variables": {
"serviceBusName": "myServiceBus",
"queueName": "creation-requests",
"serviceBusUserRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]",
"serviceBusRoleAssignmentName": "[concat(variables('serviceBusName'), '/Microsoft.Authorization/', guid(uniqueString(variables('serviceBusName'))))]"
},
"resources": [
{
"name": "[variables('serviceBusName')]",
"type": "Microsoft.ServiceBus/namespaces",
"apiVersion": "2018-01-01-preview",
"location": "canadaeast",
"sku": {
"name": "Basic"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[variables('queueName')]",
"type": "Queues",
"dependsOn": [
"[resourceId('Microsoft.ServiceBus/namespaces', variables('serviceBusName'))]"
],
"properties": {
"lockDuration": "PT5M",
"defaultMessageTimeToLive": "P0Y0M1DT0H0M0S"
}
}]
},
{
"type": "Microsoft.ServiceBus/namespaces/providers/roleAssignments",
"name": "[variables('serviceBusRoleAssignmentName')]",
"apiVersion": "2020-04-01-preview",
"properties": {
"roleDefinitionId": "[variables('serviceBusUserRoleDefinitionId')]",
"principalId": "[parameters('functionAppPrincipalId')]"
}
}
],
"outputs": {
}
}
执行它会导致以下错误:
2020-12-23T17:57:52.3905460Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-12-23T17:57:52.3941413Z ##[error]Details:
2020-12-23T17:57:52.3946096Z ##[error]Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"RoleAssignmentUpdateNotPermitted\",\r\n \"message\": \"Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\"\r\n }\r\n}"
}
]
}
]
}
}
问题
在 ARM 模板中,如何将服务总线角色分配给应用服务?
解决方案
如果你想Azure Service Bus Data Owner
在订阅级别分配一个应用服务(根据我的理解,你的意思是 MSI),你可以使用下面的模板,它对我有用。
template1.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"type": "string",
"metadata": {
"description": "Specifies the role definition ID used in the role assignment."
}
},
"principalId": {
"type": "string",
"metadata": {
"description": "Specifies the principal ID assigned to the role."
}
}
},
"variables": {
"roleAssignmentName": "[guid(parameters('principalId'), parameters('roleDefinitionID'), subscription().id)]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"scope": "[subscription().id]"
}
}
]
}
parameters1.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionID": {
"value": "090c5cfd-751d-490a-894a-3ce6f1109419"
},
"principalId": {
"value": "xxxxxxxxxxxxx"
}
}
}
使用 PowerShell New-AzDeployment
在订阅范围内部署模板。
New-AzDeployment -Location eastus -TemplateFile C:\Users\Administrator\Desktop\template1.json -TemplateParameterFile C:\Users\Administrator\Desktop\parameters1.json
检查门户:
推荐阅读
- html - HTML5 - 部分不会自动将其高度设置为内部组件,而是将其高度设置为跨度高度
- oop - 关于 SOLID 原则,在领导/高级职位上,您应该如何判断他人的代码?
- python - csv.reader 在字段名称中返回“OrderedDict”值
- javascript - 引导模式和 ajax 内容 - 库不起作用
- vba - 循环中的 xlOLELinks 不更新(vba、excel)
- reactjs - 使用 webpack 构建时,打字稿类型似乎未定义
- c# - 字符串或二进制数据将被截断。该语句已终止。不明白为什么?
- java - 我正在使用接口不正确地实现 ValueEventListener
- tensorflow - AttributeError:“模型”对象在样式转移程序中没有属性“图形”
- azure - Azure ARM 故障转移组数据库属性不接受变量数组