使用 Azure 策略将角色分配给存储帐户
[英]Use Azure policy to assign a role to a storage account
问题描述
I am trying to make an Azure policy that adds a RBAC role assignment to each existing and future storage account.
我正在尝试制定一个 Azure 策略,为每个现有和未来的存储帐户添加一个 RBAC 角色分配。 The code shown below works on the hard coded hardcodedstorageaccountname and performs remediation without a problem.下面显示的代码适用于硬编码的hardcodedstorageaccountname ,并且可以毫无问题地执行修复。 Next step, in order to make it work at any storage account, is that the hardcoded storage account name is replaced by some function or variable, I'd think.下一步,为了使其适用于任何存储帐户,我认为硬编码的存储帐户名称将替换为一些 function 或变量。 Am I on the right path here?我在正确的道路上吗? Should I use another pattern?我应该使用其他模式吗? I'm kind of stuck here.我有点卡在这里。
{
"properties": {
"displayName": "Assign Owner RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Owner RBAC role for storage account'. Existing strorage accounts can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role Assignments",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adGroupId": {
"type": "string",
"defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"contributorRbacRole": {
"type": "string",
"defaultValue": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "Contributor RBAC role definition ID"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"scope": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname",
"properties": {
"roleDefinitionId": "[parameters('contributorRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
2 个解决方案
解决方案1
0 2022-08-12 19:15:42
You can use the function您可以使用 function
field(fieldName)
to access properties of the currently evaluated resource as described in the official docs .访问当前评估资源的属性,如官方文档中所述。
You can find a sample deployIfNotExists policy here .您可以在此处找到示例 deployIfNotExists 策略。
解决方案2
0 2022-08-14 14:48:36
Helped by the hint given by @andreas-wendl I changed my code to this policy that assignes the role owner to a group (d3e968d0-586a-4058-8f0e-d54ca380a61f) on every storage account在@andreas-wendl 给出的提示的帮助下,我将代码更改为此策略,该策略将角色所有者分配给每个存储帐户上的组 (d3e968d0-586a-4058-8f0e-d54ca380a61f)
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role Assignments",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"like": "*/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"equals": "[field('id')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"saId": {
"value": "[field('id')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"saId": {
"type": "string",
"metadata": {
"description": "Full Id of the storage account"
}
},
"adGroupId": {
"type": "string",
"defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"ownerRbacRole": {
"type": "string",
"defaultValue": "[concat(parameters('saId'),'/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"metadata": {
"description": "Owner RBAC role definition ID"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"scope": "[parameters('saId')]",
"properties": {
"roleDefinitionId": "[parameters('ownerRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Azure 禁止创建存储帐户的策略 - Azure Policy to disallow Storage account creation
修复 Azure 存储帐户的网络限制策略 - Remediation for Network restriction policy of Azure Storage account
如何将 Azure 托管标识分配给 Azure 存储帐户? - How to assign Azure Managed Identity to Azure Storage Account?
使用 Azure 策略定义为存储帐户启用诊断设置 - Enable diagnostic settings for Storage account using Azure Policy Definition
存储帐户生命周期策略管理工作的 Azure IAM 权限是什么? - What are the Azure IAM permissions for storage account lifecycle policy management to work?
使用 azure 策略将客户管理的密钥附加到存储帐户 - Appending customer managed keys to storage account using azure policy
为什么Windows Azure角色内高速缓存需要一个存储帐户? - Why does windows azure In-Role caching requires a storage account?
角色分配多个 Azure 功能到 ARM 模板中的同一存储帐户 - Role Assignment multiple Azure Functions to the same storage account in an ARM template
如何将“Storage Blob Data Reader”角色分配给 azure 中的用户/组? - How to assign “Storage Blob Data Reader” role to a user/group in azure?
Azure功能部门对存储帐户的使用成本很高 - Expensive use of storage account from Azure Functions
相关标签