代码之家  ›  专栏  ›  技术社区  ›  Ramana

在Azure中创建新角色分配时出错

azure-resource-manager azure-powershell azure
  •  1
  • Ramana  · 技术社区  · 7 年前

    对于给定的Azure订阅,我想将自定义角色分配给服务主体。为了实现这一点,我首先检查订阅中是否存在自定义角色定义。如果角色不存在,我将更新角色定义的可分配范围以包括此订阅。当我尝试分配角色时,我会间歇性地遇到“RoleDefinitionDoesNotExist”错误。我该如何解决这个问题? 

    $roleDef = Get-AzureRmRoleDefinition -Name $azureRmRole
if($roleDef -eq $null)
{
    Select-AzureRmSubscription -SubscriptionName $prodSubscription
    #Role definition exists in $prodSubscription
    $newRole = Get-AzureRmRoleDefinition -Name $azureRmRole
    #$scope = '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
    $newRole.AssignableScopes.Add($scope)
    $def = Set-AzureRmRoleDefinition -Role $newRole
    # I have verified that role definition is updated
}

Select-AzureRmSubscription -SubscriptionName $SubscriptionName
New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId $SPNid -Scope $scope

    错误:

    在C:\Untitled1。ps1:71字符:1 +新azurermroleasignment-RoleDefinitionName$azureRmRole-ObjectId。。。 +CategoryInfo:CloseError:(:)[New AzureRmRoleAssignment],CloudException

    1 回复  |  直到 7 年前
        1
  •  0
  •   Shui shengbao    7 年前

    您应该如下定义您的自定义角色: 

    {
  "Name": "Virtual Machine Power Manager",
  "IsCustom": true,
  "Description": "Can monitor, stop, start and restart v2 ARM virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/powerOff/action",    
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [

  ],
  "AssignableScopes": [
    "/subscriptions/c25b1c8e-xxxx-1111-abcd-1a12d7012123"
  ]
}

    根据您的描述,您的角色定义可能有误,您最好检查一下。 

    New-AzureRmRoleAssignment -ServicePrincipalName "https://shuiweb.azurewebsites.net" `
                          -RoleDefinitionName 'Virtual Machine Power Manager' `
                          -Scope '/subscriptions/*******'

    enter image description here

    这个 blog:AZURE AUTOMATION RUNBOOKS WITH AZURE AD SERVICE PRINCIPALS AND CUSTOM RBAC ROLES 会有帮助的。

    推荐文章
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号