azure - 将多个 Azure Functions 角色分配给 ARM 模板中的同一存储帐户
问题描述
我一直在尝试更新在 Azure 上创建资源堆栈的 ARM 模板。
我正在尝试将功能作为读取器和数据访问分配添加到存储帐户。只添加一个就可以了,尽管即使这样也需要一段时间才能让它工作。当我尝试添加多个模板时,我的模板甚至无法验证,因为这个错误:
"code":"InvalidTemplate","message":"Deployment template validation failed: 'The resource 'Microsoft.Storage/storageAccounts/strgegitestv2qaeu/providers/Microsoft.Authorization/roleAssignments/3273386b-cde7-5e43-a242-a64d4ed23bee' at line '208' and column '9' is defined multiple times in a template. Please see https://aka.ms/arm-template/#resources for usage details.'.","additionalInfo":[{"type":"TemplateViolation","info":{"lineNumber":208,"linePosition":9,"path":"properties.template.resources[1]"}}]}
现在我相信我明白为什么会这样了,我基本上多次调用相同的 roleAssignment,而我认为我应该做的是为每个函数服务标识创建一个 GUID 并调用它们。问题是我不确定如何准确地做到这一点,在文档或在线任何地方都找不到足够的信息。这是我的 ARM 模板的片段:
"variables": {
"storageAccountName": "[concat('strg', variables('commonId'))]",
"readeranddataaccess": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]",
"servicekeyoperatorrole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]",
"TestVariable": "[concat(variables('storageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
}
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[variables('storageAccountName')]",
"location": "[variables('location')]",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": true,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
},"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[variables('storageAccountName')]",
"location": "[variables('location')]",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": true,
"allowSharedKeyAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functioName1')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName2')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName3')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('TestVariable'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName4')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
If that is indeed the issue how can I create a GUID for each of the SystemManaged Identities of my Functions and call them to the "name" of my RoleAssignments?
解决方案
您的 roleAssignment 的名称在租户中必须是唯一的 - 基于分配的主体、角色和范围。在您的情况下,您可以执行以下操作:
guid(resourceId('Microsoft.Web/sites', variables('functionName1')), resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), variables('readanddataaccess'))
请注意,这variables('functionName1')
将与主体匹配 - 因此 functionName1、functionName2、... 根据每个角色分配的需要。
这种帮助?
好的,试试这个(这是相对较新的,旨在简化分割问题):
"variables": {
"raNameFunctionApp1": "[guid(resourceId('Microsoft.Web/sites', variables('functionName1')), resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), variables('readanddataaccess'))]"
},
...
{
"scope": "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('raNameFunctionApp1'))]",
"properties": {
"roleDefinitionId": "[variables('readeranddataaccess')]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionName1')), '2018-02-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
},
推荐阅读
- c# - 如何仅使用唯一的电子邮件字段选择数据?
- reactjs - 使用 create-react-app --typescript 创建的应用程序中的错误
- c++ - 了解模板类型/值的重复评估
- python - 多个 aiohttp 会话
- javascript - 查找适用于元素的所有 CSS 规则 (2018)
- octave - GNU Octave 垂直尺寸不匹配
- python - Python 并行抓取 + 转储到 JSON
- angular - 如何将 cronExpression 值绑定到 formControl?
- java - 在 Java 中导入最终类
- python-3.x - 如何从特定输入的数字(x,y 轴)中获取列表?