'Microsoft.Authorization/roleAssignments' 范围以引用来自不同资源组的存储帐户

Question

我正在使用 Azure ARM 模板创建 Azure SQL Server。 “auditingSettings”配置需要通过 Azure 存储帐户（不同的资源组）获得 SQL Server 身份的权限。我正在使用下面的示例代码来授予权限。但是模板部署失败，说明在部署SQL Server的地方找不到Storage账号，确实如此。

那么，我如何链接（引用）存在于“Microsoft.Authorization/roleAssignments”范围下的不同资源组中的存储帐户

模板截图：

"type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-04-01-preview",
      "name": "[parameters('roleNameGuid')]",
      **"scope": "[concat('Microsoft.Storage/storageAccounts', '/', variables('storageName'))]",**
      "dependsOn": [
          "[variables('storageName')]"
      ],
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }

错误：

New-AzResourceGroupDeployment : 5:14:22 PM - Resource Microsoft.Authorization/roleAssignments 'cca0ed12-d67c-58cd-a569-e265bc2d5806' failed with message '{
  "error": {
    "code": "ResourceNotFound",
    "message": "The Resource 'Microsoft.Storage/storageAccounts/commonsdev' under resource group 'apis-dev' was not found. For more details please go to 
https://aka.ms/ARMResourceNotFoundFix"
  }
}'
At line:1 char:1
+ New-AzResourceGroupDeployment `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
 
New-AzResourceGroupDeployment : 5:20:00 PM - Resource Microsoft.Sql/servers/auditingSettings 'apis-sqlserver-dev/Default' failed with message '{
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "BlobAuditingInsufficientStorageAccountPermissions",
        "message": "Insufficient read or write permissions on storage account 'commonsdev'. Add permissions to the server Identity to the storage account."
      }
    ]

Answer 1

要在模板中执行角色分配，角色分配的范围必须等于或低于模板部署的范围。所以基本上，如果你想接触不同资源组中的资源，你需要部署模板做那些资源组。

如果模板的“主要”用途是 SQL，然后您想将角色分配为不同资源组中的存储范围 - 您需要将部署嵌套到该资源组，例如

    {
      "apiVersion": "2020-10-01",
      "name": "assignRole",
      "type": "Microsoft.Resources/deployments",
      "resourceGroup": "[parameters('rgName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "scope": "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
              "name": "[guid(parameters('roleNameGuid'))]",
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2017-05-01",
              "properties": {
                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]",
                "principalId": "[parameters('principalId')]"
              }
            }
          ]
        }
      }
    }

注意事项：

• Microsoft.Resources/deployments 资源的 resourceGroup 属性
• roleAssignment 上的范围属性（您拥有）
• 您必须有权在该范围内分配角色 - 您上面的第二条错误消息表明您没有（这当然是一个单独的问题

旁注，我没有“修复”您的代码，下面只是一个工作示例

有帮助吗？