问使用ARM模板将角色分配给相同的安全id
EN

Stack Overflow用户

提问于 2021-05-07 08:17:48

回答 1查看 122关注 0票数 0

我有一个ARM模板，它在ResourceGroup级别上将"Reader“角色分配给一个安全组。如果我部署模板一次，它就可以工作，但是如果我重新运行模板，它就会抛出这个错误

Tenant ID, application ID, principal ID, and scope are not allowed to be updated.  (Code: RoleAssignmentUpdateNotPermitted)

模板的代码如下所示

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            
            "metadata": {
                "description": "The security group ID to assign the role to"
            }
        },
          "storageName" : {
          "type" : "string",
          
          "metadata" : {
            "description" : "Name of the Storage Name"
          }
        },

     
          "Tag" : {
            "type" : "string",
            "defaultValue" : "azure-cloud-shell",
            "metadata" : {
              "description" : "Tag name for the Azure Cloud Shell"
            }
          }

          

    },
    "variables": {
        
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "guidUnique": "[uniqueString(resourceGroup().id, deployment().name)]"
        
        
         
    },
    "resources": [
        {
            "apiVersion": "2019-04-01",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageName')]",
            "tags" :{
               "ms-resource-usage" : "[parameters('Tag')]"
              
            },

            "location": "[resourceGroup().location]",
            "sku": {
                "name": "Standard_ZRS"
            },
            "kind": "StorageV2",
            "properties": {
               "minimumTlsVersion": "TLS1_2"
              
            }
        },
         {
          "name": "[concat(parameters('storageName'), '/default')]",
         "type":"Microsoft.Storage/storageAccounts/blobServices",
         "apiVersion":"2018-07-01",
         "properties":{
            "deleteRetentionPolicy":{
               "enabled":true,
               "days":7
            }
         },
         "dependsOn":[
            "[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
         ]
      },
        
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2020-04-01-preview",
            "name": "[guid('roleassingnment', variables('guidUnique'))]",
            "scope": "[concat('Microsoft.Storage/storageAccounts', '/', parameters('storageName'))]",
            "dependsOn": [
                "[parameters('storageName')]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('Contributor')]",
                "principalId": "[parameters('principalId')]"
            }
        },
          {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2018-09-01-preview",
            "name": "[concat(guid(resourceGroup().id, parameters('storageName')))]",
            "properties": {
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
                
                "principalId": "[parameters('principalId')]"
            }
        }
        
    ]
}

似乎ARM模板对安全性的角色分配不是幂等的。

敬请指教

azure

azure-resource-manager

回答 1

Stack Overflow用户

回答已采纳

发布于 2021-05-07 15:08:41

不允许更新角色分配。确保为每个新角色分配传递唯一的GUID。有关更多详细信息，请参阅here和here

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/67427496

复制

相似问题

问使用ARM模板将角色分配给相同的安全id
EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用ARM模板将角色分配给相同的安全idEN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用ARM模板将角色分配给相同的安全id
EN