在 Azure 中创建新角色分配时出错
Error while creating new role assignment in Azure
对于给定的 Azure 订阅,我想将自定义角色分配给服务主体。为了实现这一点,我首先检查订阅中是否存在自定义角色定义。如果该角色不存在,我将更新角色定义的可分配范围以包括该订阅。当我尝试分配角色时,间歇性地遇到 'RoleDefinitionDoesNotExist' 错误。我该如何解决这个问题?
我的代码:
$roleDef = Get-AzureRmRoleDefinition -Name $azureRmRole
if($roleDef -eq $null)
{
Select-AzureRmSubscription -SubscriptionName $prodSubscription
#Role definition exists in $prodSubscription
$newRole = Get-AzureRmRoleDefinition -Name $azureRmRole
#$scope = '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
$newRole.AssignableScopes.Add($scope)
$def = Set-AzureRmRoleDefinition -Role $newRole
# I have verified that role definition is updated
}
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId $SPNid -Scope $scope
错误:
New-AzureRmRoleAssignment : The specified role definition with ID 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' does not exist.
At C:\Untitled1.ps1:71 char:1
+ New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
您应该像下面这样定义您的自定义角色:
{
"Name": "Virtual Machine Power Manager",
"IsCustom": true,
"Description": "Can monitor, stop, start and restart v2 ARM virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/c25b1c8e-xxxx-1111-abcd-1a12d7012123"
]
}
根据你的描述,你的角色定义可能有误,你最好检查一下。
如果您想为服务主体提供自定义角色,请尝试使用以下 cmdlet。
New-AzureRmRoleAssignment -ServicePrincipalName "https://shuiweb.azurewebsites.net" `
-RoleDefinitionName 'Virtual Machine Power Manager' `
-Scope '/subscriptions/*******'
blog:AZURE AUTOMATION RUNBOOKS WITH AZURE AD SERVICE PRINCIPALS AND CUSTOM RBAC ROLES 会有帮助。
对于给定的 Azure 订阅,我想将自定义角色分配给服务主体。为了实现这一点,我首先检查订阅中是否存在自定义角色定义。如果该角色不存在,我将更新角色定义的可分配范围以包括该订阅。当我尝试分配角色时,间歇性地遇到 'RoleDefinitionDoesNotExist' 错误。我该如何解决这个问题?
我的代码:
$roleDef = Get-AzureRmRoleDefinition -Name $azureRmRole
if($roleDef -eq $null)
{
Select-AzureRmSubscription -SubscriptionName $prodSubscription
#Role definition exists in $prodSubscription
$newRole = Get-AzureRmRoleDefinition -Name $azureRmRole
#$scope = '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
$newRole.AssignableScopes.Add($scope)
$def = Set-AzureRmRoleDefinition -Role $newRole
# I have verified that role definition is updated
}
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId $SPNid -Scope $scope
错误:
New-AzureRmRoleAssignment : The specified role definition with ID 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' does not exist. At C:\Untitled1.ps1:71 char:1 + New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
您应该像下面这样定义您的自定义角色:
{
"Name": "Virtual Machine Power Manager",
"IsCustom": true,
"Description": "Can monitor, stop, start and restart v2 ARM virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/c25b1c8e-xxxx-1111-abcd-1a12d7012123"
]
}
根据你的描述,你的角色定义可能有误,你最好检查一下。
如果您想为服务主体提供自定义角色,请尝试使用以下 cmdlet。
New-AzureRmRoleAssignment -ServicePrincipalName "https://shuiweb.azurewebsites.net" `
-RoleDefinitionName 'Virtual Machine Power Manager' `
-Scope '/subscriptions/*******'
blog:AZURE AUTOMATION RUNBOOKS WITH AZURE AD SERVICE PRINCIPALS AND CUSTOM RBAC ROLES 会有帮助。