ストレージ アカウント、BLOB ストレージを作成してから、ストレージ アカウントにロールを作成しようとしています。以下は、コード storagedeploy.json です。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Project": {
"type": "string",
"metadata": {
"description": "Project name"
}
},
"Environment": {
"type": "string",
"metadata": {
"description": "Project name"
}
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"storageAccountName": "[toLower(concat(parameters('Project'), parameters('Environment'), uniqueString(resourceGroup().id)))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-04-01",
"name": "[concat(variables('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-04-01",
"name": "[concat(variables('storageAccountName'), '/default/mycompany-project123-dev-data-store-ue1')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(resourceGroup().id)]",
"apiVersion": "2019-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalId": "xxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxx",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
}
}
]
}
実行時に、私は問題を抱えています:
PS C:\work\azure\azure-devops\resourcetemplates\staticresources> az group deployment create --resource-group myproject-devops --template-file .\storagedeploy.json
Please provide string value for 'Project' (? for help): ert
Please provide string value for 'Environment' (? for help): fds
Please provide string value for 'location' (? for help): eastus2
Deployment failed. Correlation ID: xxxx-x-x-x-x--x-xxxxxxx. {
"error": {
"code": "InvalidCreateRoleAssignmentRequest",
"message": "The request to create role assignment 'xxxx--x-x-x--x-x-x-sxxssxxx' is not valid. Role assignment scope '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourceGroups/myproject-devops/providers/Microsoft.Storage/storageAccounts/ertfds5h4nafspjqzii' must match the scope specified on the URI '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourcegroups/myproject-devops'."
}
}
私はググろうとしましたが、別の解決策を得ました。正確に私が行方不明です。スタックオーバーフローでこの問題を追跡しようとしました
また、次のような特定のリソースにアクセス許可を割り当てようとしています: ストレージに割り当てるには、以下のコードが正常に機能しています:
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(variables('storageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
"apiVersion": "2019-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalId": "[parameters('principalId')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
}
}
しかし、同じように cosmosDB、redis キャッシュ、キー コンテナーを処理する必要がありますが、機能していません。以下はコードです:
コスモスDBの場合::
{
"type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
"name": "[concat(variables('cosmosDBAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
"apiVersion": "2019-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', variables('cosmosDBAccountName'), parameters('Project'))]",
"[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
],
"properties": {
"roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450')]",
"principalId": "[parameters('principalId')]",
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
}
}
Redis キャッシュの場合::
{
"type": "Microsoft.Cache/Redis/providers/roleAssignments",
"name": "[concat(variables('redisCacheName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
"apiVersion": "2019-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
],
"properties": {
"roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17')]",
"principalId": "[parameters('principalId')]",
"scope": "[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
}
}
キー コンテナーの場合:
{
"type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
"name": "[concat(variables('keyVaultName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
"apiVersion": "2019-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
"properties": {
"roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395')]",
"principalId": "[parameters('principalId')]",
"scope": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
}
}