时间戳

首页 > 解决方案 > 如何仅授予部署到特定插槽的权限?

azure-active-directory - 如何仅授予部署到特定插槽的权限?

问题描述

我在 Azure 中有一个带有部署槽的 Web 应用程序。应用程序放置在 ASE 中。我需要 Azure AD 中的服务主体(应用程序注册),该服务主体有权仅部署到特定插槽,而不是整个 Web 应用程序。

仅为 TEST 槽创建了具有“参与者”角色分配的服务主体。此服务主体无权访问整个 Web 应用程序,在那里没有任何角色。

部署到 TEST 插槽时出现以下错误:

az login --service-principal --username XXX-XXX-XXX-XXX-XXX --password ... --tenant XXX-XXX-XXX-XXX-XXX

az webapp deployment source config-zip --resource-group myresgroup --name mywebapp --src archive.zip --slot test

ERROR: AuthorizationFailed - The client 'XXX-XXX-XXX-XXX-XXX' with object id 'XXX-XXX-XXX-XXX-XXX' 
does not have authorization to perform action 'Microsoft.Web/sites/publishxml/action' 
over scope '/subscriptions/XXX-XXX-XXX-XXX-XXX/resourceGroups/myresgroup/providers/Microsoft.Web/sites/mywebapp' 
or the scope is invalid. 
If access was recently granted, please refresh your credentials.

是否可以仅授予部署到特定插槽的权限?

标签: azure-active-directoryazure-web-app-service

解决方案

解决方案是定义一个自定义角色,该角色只允许执行Microsoft.Web/sites/publishxml/Action.

我将角色称为Publishing profile reader

  1. Publishing profile reader在 Web 应用级别创建角色。

Publishing profile reader角色是从角色中复制而来的Contributor,这里是 JSON 定义:

{
    "properties": {
        "roleName": "Publishing profile reader",
        "description": "Role has permission to read website publishing profile.",
        "assignableScopes": [
            "/subscriptions/xxx-xxx-xxx-xxx/resourceGroups/myresgroup/providers/Microsoft.Web/sites/mywebapp"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Web/sites/publishxml/Action"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.Compute/galleries/share/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

  1. 然后在主 Web 应用程序中将此自定义Publishing profile reader角色分配给用于槽部署的服务主体。

  2. Contributor在插槽级别将角色分配给该服务主体。

因此,此服务主体可以部署在插槽中,但无权部署到生产环境。

推荐阅读