In Azure, if I want to give read-access for a resource group through RBAC, can I do that through an ARM template? I know it's possible through a VSTS build step or a PS script, but is there any way to give permissions through ARM templates?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
No, this is not posible due to the fact that REST call to apply permissions is something like this:
/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/xxx
You cannot replicate subscription "level" rest calls with an ARM template yet.
Welp, contrary to everything I know, this works:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "8446a13c-6886-46e2-a17f-9df73adb334e",
"apiVersion": "2017-10-01-preview",
"location": "[resourceGroup().location]",
"properties": {
"roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "user_guid_goes_here",
"scope": "[resourceGroup().Id]"
}
}
]
}
This assigns contributor role to the user with provided guid (principalId) to the resource group where you deploy the template. to assign other role get its guid and replace the contributor guid (b24988ac-6180-42a0-ab88-20f7382dd24c - well known guid). You can also assign permissions to specific resource. Use scope to do that (change it to resourceId). Name has to be a new guid.
I have no idea why this works, i will get back to you when i find out why it works.
回答2:
We can assign the permission on resource group and its resources.
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[variables('roleName')]",
"apiVersion": "[variables('authAPIVersion')]",
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "[parameters('principalId')]",
"scope": "[concat(subscription().id, '/resourceGroups/',resourceGroup().name)]"
}
}
Go to to this link for more Details - Role-Based Access Control(RBACK)
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 相关推荐>> 的文章《Can I apply permissions through an ARM template?》','https://www.manongdao.com/article-261027.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}