时间戳

首页 > 解决方案 > 如何在二头肌模板中定义基于身份的数据访问

azure - 如何在二头肌模板中定义基于身份的数据访问

问题描述

我有以下作为二头肌模板,我想使用基于身份的连接,如何相应地构建模板。

https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference#connecting-to-host-storage-with-an-identity

我在这里使用了指导https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code?tabs=PowerShell进行部署。

New-AzResourceGroup -Name exampleRG -Location eastus

New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -storageName "{your-unique-name}"

但是,在处理模板文件时出现错误 - Code=InvalidTemplateDeployment; Message=根据验证程序,模板部署“bicepeg”无效

var baseName = uniqueString('identityRepro', subscription().id)
var location = 'uksouth'

resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: baseName
  location: location 
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
  name: baseName
  location: location
  sku: {
    name: 'Y1'
    tier: 'Dynamic'
  }
}

resource ai 'Microsoft.Insights/components@2015-05-01' = {
  name: baseName
  location: location
  kind: 'web'
  properties: {
    Application_Type: 'web'
  }
}

resource fa 'Microsoft.Web/sites@2019-08-01' = {
  name: baseName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: asp.id
  }
  kind: 'functionapp'

  resource appSettings 'config@2018-11-01' = {
    name: 'appsettings'
    properties: {
      'AzureWebJobsStorage__accountName': stg.name
      'FUNCTIONS_WORKER_RUNTIME': 'powershell'
      'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
      'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
    }
  }
}

resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(fa.name, stg.name, 'ba92f.........d-a403-e96b0029c9fe')
  properties: {
    principalId: fa.identity.principalId
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f.......-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: stg
}

标签: azurepowershellclaims-based-identityazure-bicep

解决方案

我认为你的问题是角色的身份。角色是在订阅级别定义的,而不是在资源组中。在您的代码中,resourceId 函数使用的是 subscriptionResourceId。

更新:当您在 github 问题上进一步澄清时,您的另一个问题是名称的构造方式。uniqueString函数根据种子生成一个伪随机字符串(哈希) - 您提供给函数的参数。当您给出完全相同的值时 - 您将得到相同的结果。

下面的代码对我有用

var baseName = uniqueString(resourceGroup().id)
var location = 'uksouth'

resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: baseName
  location: location 
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
  name: baseName
  location: location
  sku: {
    name: 'Y1'
    tier: 'Dynamic'
  }
}

resource ai 'Microsoft.Insights/components@2015-05-01' = {
  name: baseName
  location: location
  kind: 'web'
  properties: {
    Application_Type: 'web'
  }
}

resource fa 'Microsoft.Web/sites@2019-08-01' = {
  name: baseName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: asp.id
  }
  kind: 'functionapp'

  resource appSettings 'config@2018-11-01' = {
    name: 'appsettings'
    properties: {
      'AzureWebJobsStorage__accountName': stg.name
      'FUNCTIONS_WORKER_RUNTIME': 'powershell'
      'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
      'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
    }
  }
}

resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(fa.name, stg.name, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
  properties: {
    principalId: fa.identity.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: stg
}

在您的代码resourceGroup().id中用作uniqueString参数 - 因为它包含订阅的唯一 guid 和资源组名称,该名称在订阅中必须是唯一的 - 您的哈希也应该是唯一的。仅提供subscription().id将为其中的订阅和资源组的所有部署生成相同的字符串。

推荐阅读