Can I apply permissions through an ARM template?

2019-01-27 09:01发布

站内问答 / 前沿技术
1930 2 5

In Azure, if I want to give read-access for a resource group through RBAC, can I do that through an ARM template? I know it's possible through a VSTS build step or a PS script, but is there any way to give permissions through ARM templates?

2条回答
地球回转人心会变
2楼-- · 2019-01-27 09:21

We can assign the permission on resource group and its resources.

{
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "[variables('roleName')]",
    "apiVersion": "[variables('authAPIVersion')]",
    "properties": {
        "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[concat(subscription().id, '/resourceGroups/',resourceGroup().name)]"
    }     
}

Go to to this link for more Details - Role-Based Access Control(RBACK)

查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
3楼-- · 2019-01-27 09:45

No, this is not posible due to the fact that REST call to apply permissions is something like this:

/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/xxx

You cannot replicate subscription "level" rest calls with an ARM template yet.

Welp, contrary to everything I know, this works:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "8446a13c-6886-46e2-a17f-9df73adb334e",
            "apiVersion": "2017-10-01-preview",
            "location": "[resourceGroup().location]",
            "properties": {
                "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c')]",
                "principalId": "user_guid_goes_here",
                "scope": "[resourceGroup().Id]"
            }
        }
    ]
}

This assigns contributor role to the user with provided guid (principalId) to the resource group where you deploy the template. to assign other role get its guid and replace the contributor guid (b24988ac-6180-42a0-ab88-20f7382dd24c - well known guid). You can also assign permissions to specific resource. Use scope to do that (change it to resourceId). Name has to be a new guid.

I have no idea why this works, i will get back to you when i find out why it works.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)