Azure：通过 ARM 模板将角色分配给存储容器

Question

我正在尝试通过 arm 模板将角色“Storage Blob Data Contributor (Preview)”分配给特定的存储容器。但我就是想不出正确的语法。

这就是我所拥有的：

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "allowedValues": [
                "Contributor",
                "Reader",
                "StorageBlobDataContributor"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "apiVersion": "2017-05-01",
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "TestVariable": "[concat('STORAGEACCOUNTNAME','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "[variables('TestVariable')]",
            "properties": {
                "roleDefinitionId": "[variables('Reader')]",
                "principalId": "[parameters('principalId')]"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/containers/blobCONTAINERNAME/providers/Microsoft.Authorization/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/blobServices/containers/default/blobCONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ],
    "outputs": {}
}

我可以成功地将读者角色附加到存储帐户本身。 但是对于容器，我收到以下错误：

    new-AzResourceGroupDeployment : 09:21:24 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource
'STORAGEACCOUNTNAME/blobServices/containers/CONTAINERNAME/Microsoft.Authorization/GUID' for type
'Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/default/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments' at line '44' and column '9' has incorrect
segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see
https://aka.ms/arm-template/#resources for usage details.'.

我尝试了很多方法来尝试附加角色，以至于我没有想法。 有人可以帮我吗？

Answer 1

使用Erik's answer above（我当然赞成，谢谢 Erik！），我能够解决类似问题的 RBAC 权限使用 ARM 模板的存储帐户的队列。

这是一个示例 ARM 模板，用于将发件人角色添加到存储帐户的单个队列...

<..snip..>
"parameters": {
    "PrincipalId": {
        "type": "string",
        "minLength": 36,
        "maxLength": 36
    }
},
"variables": {
    "SubscriptionId": "[concat('/subscriptions/', subscription().subscriptionId)]",
    "RoleDefinitions": "[concat(variables('SubscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/')]",
    "QueueSenderRole": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a"
},
"resources": [        
    {
        "type": "Microsoft.Storage/storageAccounts/queueServices/queues/providers/roleAssignments",
        "name": "mystorageaccount/default/myqueue/Microsoft.Authorization/00000000-1234-0000-5678-000000000000", // NB example only; pick an idempotent but unique value
        "apiVersion": "2018-09-01-preview",
        "properties": {
            "roleDefinitionId": "[concat(variables('RoleDefinitions'), variables('QueueSenderRole'))]",
            "principalId": "[parameters('PrincipalId')]"
        }
    }
]

Answer 2

你需要构造这样的东西：

resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID

并且resourceId通常被构造为

type: provider/namespace
name: name

provider/namespace/name

例如，对于子网，它会是（注意它从每条线依次取 1 个段，除了第一个，第一个总是 2 个段）：

type: microsoft.network/virtualnetworks/subnets
name: vnetName/subnetName

microsoft.network/virtualnetworks/vnetName/subnets/subnetName

如果可能的话，它看起来像这样：

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID

Answer 3

做了一些小调整：

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

这样我可以在容器本身上分配角色。感谢 4c74356b41 为我指明了正确的方向