Azure自動化帳戶的二頭肌模板。Azure角色分配到托管標識問題-有解無憂

我創建了一個基本的 Bicep 模板來部署 Azure 自動化帳戶。它包含一個帶有 Powershell 腳本和鏈接的計劃的 Runbook。到現在為止還挺好。問題是將 Azure 角色（所有者、貢獻者、讀者）分配給此 AA 的托管標識。我擁有所有需要的值，但不知道如何將它們組合在一起。要通過 Bicep 模板分配 Azure 角色，您應該獲得此 AA 的托管標識的 principalId，這非常簡單：

resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22'
**************************************************************************
output AutAccountPrincipalId string = autaccount.identity.principalId

我的想法是將這個輸出的值傳遞給引數或變數，然后在下一個資源塊中使用它。結果我無法將輸出作為引數傳遞給下一個資源塊。有人可以幫助我嗎？問題是 - 如何在另一個資源塊中使用一個 Bicep 資源塊的值？

這是用于創建自動化帳戶的 Bicep 模板：

@description('Specifies the location for all resources.')
param location string = resourceGroup().location

var accountname = 'Snapshot'
var runbookname = 'CreateSnapshot'
var schedulename = 'SnapshotHourly'


resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: accountname
  location: location
  tags: {
    test: 'true'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    encryption: {
      identity: {
      }
      keySource: 'Microsoft.Automation'
    }
    publicNetworkAccess: false
    sku: {
      capacity: null
      family: null
      name: 'Basic'
    }
  }
}

resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
  parent: autaccount
  name: runbookname
  location: location
  properties: {
    runbookType: 'PowerShell'
    logVerbose: false
    logProgress: false
    logActivityTrace: 0
    publishContentLink: {
      uri: 'https://raw.githubusercontent.com/................'
    }
  }
}

resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
  parent: autaccount
  name: schedulename
  properties: {
    startTime: '23:30'
    expiryTime: ''
    interval: 1
    frequency: 'Hour'
    timeZone: 'Europe/Riga'
  }
}

resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
  name: guid('xxx05')
  parent: autaccount
  dependsOn: [
    runbook1
  ]
  properties: {
    parameters: {}
    runbook: {
      name: runbookname
    }
    schedule: {
      name: schedulename
    }
  }
}

output AutAccountPrincipalId string = autaccount.identity.principalId

實際將 Azure 角色分配給 MI 的最后一個資源塊如下：

@description('The principal to assign the role to')
param principalId string = 'abc897c3-ac9a-42e6-bc3f-xxxxxxxxxxxx'

@description('Built-in role to assign')
@allowed([
  'Owner'
  'Contributor'
  'Reader'
])
//param builtInRoleType string = 'Owner'

@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()

var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
//var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'

resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
  name: roleNameGuid
  properties: {
    principalId: principalId
    roleDefinitionId: Owner
  }
}

我從 Portal 手動獲取了 principalID 值，但是為了自動化，需要它從上面的塊、上面的輸出或通過其他方式傳遞。有人可以幫忙嗎？先感謝您！

更新后的代碼是：

@description('Specifies the location for all resources.')
param location string = resourceGroup().location

var accountname = 'SnapshotMgmtv11'
var runbookname = 'Create11'
var schedulename = 'SnapshotHourly11'


resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: accountname
  location: location
  tags: {
    test: 'true'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    encryption: {
      identity: {
      }
      keySource: 'Microsoft.Automation'
    }
    publicNetworkAccess: false
    sku: {
      capacity: null
      family: null
      name: 'Basic'
    }
  }
}

resource runbook1 'Microsoft.Automation/automationAccounts/runbooks@2019-06-01' = {
  parent: autaccount
  name: runbookname
  location: location
  properties: {
    runbookType: 'PowerShell'
    logVerbose: false
    logProgress: false
    logActivityTrace: 0
    publishContentLink: {
      uri: 'https://raw.githubusercontent.com/..................'
    }
  }
}

resource schedule1 'Microsoft.Automation/automationAccounts/schedules@2020-01-13-preview' = {
  parent: autaccount
  name: schedulename
  properties: {
    startTime: '08:30'
    expiryTime: ''
    interval: 1
    frequency: 'Hour'
    timeZone: 'Europe/Riga'
  }
}

resource link 'Microsoft.Automation/automationAccounts/jobSchedules@2020-01-13-preview' = {
  name: guid('riniv011')
  parent: autaccount
  dependsOn: [
    runbook1
  ]
  properties: {
    parameters: {}
    runbook: {
      name: runbookname
    }
    schedule: {
      name: schedulename
    }
  }
}


@description('A new GUID used to identify the role assignment')
param roleNameGuid string = newGuid()

//var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
var Contributor = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
//var Reader = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'

resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
  name: roleNameGuid
  dependsOn: [
    autaccount
  ]
  properties: {
    principalId: autaccount.identity.principalId
    roleDefinitionId: Contributor
  }
}

uj5u.com熱心網友回復：

如果您正在為資源組范圍部署角色分配，那么您可以使用以下內容：

我測驗它只創建自動化帳戶并在資源組中為系統分配的自動化帳戶標識分配所有者角色。

param location string = resourceGroup().location
var accountname = 'Snapshot'
resource autaccount 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: accountname
  location: location
  tags: {
    test: 'true'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    encryption: {
      identity: {
      }
      keySource: 'Microsoft.Automation'
    }
    publicNetworkAccess: false
    sku: {
      capacity: null
      family: null
      name: 'Basic'
    }
  }
}
param roleNameGuid string = guid('Owner')

var Owner = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'

resource roleassignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
  name: roleNameGuid
  properties: {
    principalId: autaccount.identity.principalId
    roleDefinitionId: Owner
    principalType:'ServicePrincipal'
  }
}

輸出：

Azure 自動化帳戶的二頭肌模板。Azure 角色分配到托管標識問題

更新：

對于以下錯誤：

Azure 自動化帳戶的二頭肌模板。Azure 角色分配到托管標識問題

請principalType:'ServicePrincipal'在角色分配塊中添加，正如我在上面的代碼中更新的那樣。

轉載請註明出處，本文鏈接：https://www.uj5u.com/qukuanlian/367674.html

標籤：天蓝色天蓝色活动目录天蓝色二头肌

上一篇：使用azurecli在azure中調整vmss的大小

下一篇：AzurePolicy對資源組的命名約定無效