有没有办法通过ARM在资源级别应用RBAC规则?我能够按照 this Microsoft guide在资源组级别添加用户/角色,但不能在资源上添加.特别是,我试图通过ARM向AppInsights添加新的读者角色.但是,当我调
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment '{guid}' is not valid. Role assignment scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.Insights/components/{resourceGroupName}' must match the scope specified on the URI '/subscriptions/{resourceGroupName}/resourcegroups/{resourceGroupName}'."
}
如果无法更改范围变量,我想知道范围变量是什么.还有其他地方我应该修改范围以使其工作吗?
提前致谢!
您可以通过ARM在资源级别应用RBAC规则,并且在此处有一个在Azure VM上应用RBAC规则的示例模板:{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "Principal ID associated with the subscription ID"
}
},
"virtualMachineName": {
"type": "string",
"metadata": {
"description": "Name of the virtual machine"
}
},
"builtInRoleType": {
"type": "string",
"metadata": {
"description": "Built In Role Type for the Virtual Machine"
},
"allowedValues": [
"Owner",
"Contributor",
"Reader",
"Virtual Machine Contributor"
]
},
"guid": {
"type": "string",
"metadata": {
"description": "A new GUID used to identify the role"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]",
"resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[variables('resourceName')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
希望这会帮助你.