azure - 系统分配的托管标识的 Azure ARM 角色分配第一次运行失败

问题描述

我的目标是部署具有系统托管标识和该标识的角色分配的逻辑应用。优选地，这是在一个 ARM 模板中完成的。

我的设置第一次运行失败，但连续运行成功。如果我错了，请纠正我，但我认为其原因是角色分配的部署发生在逻辑应用的托管标识“准备就绪”之前，因此我第一次部署时出现以下错误模板。我第二次部署模板时没有收到此错误，可能是因为当时身份已经存在。

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "PrincipalNotFound",
      "message": "Principal *** does not exist in the directory ***."
    }
  ]
}

我的模板（为简洁起见，删除了逻辑应用定义）。在这种情况下，逻辑应用的标识需要访问位于另一个资源组中的存储帐户。

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "logicAppName": {
            "type": "string"
        },
        "storageAccountResourceGroup": {
            "type": "String"
        },
        "storageAccountName": {
            "type": "String"
        }
    },
    "variables": {
        "logicAppResourceId": "[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]",
        "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
    },
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[parameters('logicAppName')]",
            "location": "[resourceGroup().location]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "state": "Enabled",
                "definition": {
                    ...    
                }
            }
        },
        {
            "type": "Microsoft.Resources/deployments",
            "name": "[concat('RoleAssignment-', parameters('logicAppName'))]",
            "apiVersion": "2020-06-01",
            "resourceGroup": "[parameters('storageAccountResourceGroup')]",
            "subscriptionId": "[subscription().subscriptionId]",
            "dependsOn": [
                "[parameters('logicAppName')]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "apiVersion": "2018-09-01-preview",
                            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
                            "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, parameters('logicAppName')))]",
                            "properties": {
                                "roleDefinitionId": "[variables('Storage Blob Data Contributor')]",
                                "principalId": "[reference(variables('logicAppResourceId'), '2019-05-01', 'Full').identity.principalId]"
                            }
                        }
                    ]
                }
            }
        }
    ]
}

正如您在模板中看到的，我在逻辑应用本身上添加了一个dependsOn。然而，这似乎还不够。

有人对此有解决方案吗？

谢谢！

标签： azureazure-resource-managerazure-managed-identity