问题描述
我正在将模板部署到执行以下操作的资源组(以及更多操作,但其余部分并不罕见):
I'm deploying a template to a resource group that does the following (and more, but the rest isn't unusual):
- 创建存储帐户
- 创建Linux VM并将其配置为具有MSI主体.
- 将VM的MSI主体赋予贡献者".存储帐户中的角色
- Creates a storage account
- Creates a Linux VM and configures it to have an MSI principal.
- Gives the VM's MSI principal the "contributor" role on the storage account
让我感到困惑的是如何处理资源名称.当我使用guid(< vm-name>)命名时,只能部署一次.如果通过VM名称和资源组ID进行部署,则可以多次部署.
What confuses me is how the resource name is handled. When I make the name with guid(<vm-name>) I can only deploy once. I can deploy multiple times if I make it from the VM name and the resource group id.
以下代码段似乎在每次部署时都有效.当我基于虚拟机名称将名称形成为GUID时,我能够部署一次,但是在删除资源组并第二次部署后,它因RoleAssignmentUpdateNotPermitted而失败 (租户ID,应用程序ID,主体ID和范围不允许更新.")我好像删除资源组并没有清理正确的内容.我的工作正常,但我想了解角色分配的位置 认为其范围不在资源组之内.
The following snippet seems to work every time I deploy it. When I when I formed the name as a GUID based on the VM name I was able to deploy once, but after deleting the resource group and deploying a second time it failed with RoleAssignmentUpdateNotPermitted ("Tenant ID, application ID, principal ID, and scope are not allowed to be updated.") I seemed as if deleting the resource group didn't clean the right stuff. I've got things working, but I'd like to understand where the role assignment lives that its scope is outside the resource group.
<lines deleted>
"contributorRole":"[[concat('/subscriptions/',subscription().subscriptionId,' /providers/Microsoft.Authorization/roleDefinitions/','b24988ac-6180-42a0-ab88-20f7382dd24c')],
"contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
" contributorRoleGuid:" b24988ac-6180-42a0-ab88-20f7382dd24c";,
"contributorRoleGuid": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"swarmManagerGuid":"[[guid(concat(resourceGroup().id,variables('swarmManagerVmName')))]]", ;
"swarmManagerGuid": "[guid(concat(resourceGroup().id, variables('swarmManagerVmName')))]",
<行已删除>
<lines deleted>
名称":"[concat(variables('storageAccountName'),'/Microsoft.Authorization/',variables('swarmManagerGuid'))]",
" apiVersion":"[variables('apiVersionAuthorization')]",
类型":"Microsoft.Storage/storageAccounts/providers/roleAssignments",
" dependsOn":[
" [concat('Microsoft.Compute/virtualMachines/',variables('swarmManagerVmName'))]'
],
属性":{
"roleDefinitionId":"[variables('contributorRole')]",
"principalId":"[reference(concat(resourceId('Microsoft.Compute/virtualMachines/',variables('swarmManagerVmName')),'/providers/Microsoft.ManagedIdentity/Identities/default'),变量('apiVersionManagedIdentity' )).principalId],
范围":"[resourceId('Microsoft.Storage/storageAccounts',变量('storageAccountName'))]"
}
},
"name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/', variables('swarmManagerGuid'))]",
"apiVersion": "[variables('apiVersionAuthorization')]",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('swarmManagerVmName'))]"
],
"properties": {
"roleDefinitionId": "[variables('contributorRole')]",
"principalId": "[reference(concat(resourceId('Microsoft.Compute/virtualMachines/', variables('swarmManagerVmName')),'/providers/Microsoft.ManagedIdentity/Identities/default'), variables('apiVersionManagedIdentity')).principalId]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
}
},
推荐答案
/p>
If this answer was helpful, click "Mark as Answer" or "Up-Vote". To provide additional feedback on your forum experience, clickhere
这篇关于ARM Microsoft.Storage/storageAccounts/providers/roleAssignments RoleAssignmentUpdateNotPermitted错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!