[英]Assign Roles to multiple users and System Identity using Powershell?
I have requirement to assign Azure Roles to multiple users on subscription scope and Reader role to Managed Identity-Storage Account.我需要将 Azure 角色分配给订阅 scope 上的多个用户,并将读者角色分配给托管身份存储帐户。
1.Assign Azure RBAC roles to multiple users 1.将Azure RBAC角色分配给多个用户
2.Assign system assigned managed identity to existing Virtual Machine, Role Reader 2.Assign system assigned managed identity to existing Virtual Machine, 角色读取器
Here is the script.这是脚本。
$vm-(Get-Azum-ResourceGroupName <Resourcegrpupname> -Name <VMName>),identity.principalid
New-AzRoleAssignment -Objectid <Objectid> -RoleDefinitionName "Reader" -Scope "/subscriptions/<Id>/resourceGroups/VResourcregroup Name>/providers/Microsoft.Storage/StoragrAccounts/<storageaccoumt>
New-AzRoleAssignment -ObjectId <ID> -RoleDefinationName <RBACRule> -Scope '/Subscription/<I'D>`
`
Script is working,butneed to assign same roles to multiple users.脚本正在运行,但需要将相同的角色分配给多个用户。
Assign Azure RBAC roles to multiple users":
将 Azure RBAC角色分配给多个用户”:
To assign roles to multiple users at the same time, simply form a group by adding users who need the "reader" role assignments.要同时将角色分配给多个用户,只需通过添加需要“读者”角色分配的用户来组成一个组。
Created a group under AzureAD -> Groups
:在
AzureAD -> Groups
下创建了一个组:
new-azroleassignment -objectID <ObjectId of group> -Roledefinitionname "Reader" -scope "/subscriptions/<subscriptionID>/resourceGroups/xxxxRG/..." #Give scope of the resource as per the requirements.
Output: Output:
- Assign system assigned managed identity to existing Virtual Machine:
将系统分配的托管标识分配给现有虚拟机:
Previously, System assigned identity status is Off :以前,系统分配的身份状态为Off :
If not for any particular roles, You can directly update VM configurations/identities by using below commands :如果不是针对任何特定角色,您可以使用以下命令直接更新 VM 配置/身份:
$vminfo = Get-AzVM -ResourceGroupName xxxxxxRG -Name xxxxVM
Update-AzVM -ResourceGroupName xxxxxxRG -VM $vminfo -IdentityType SystemAssigned
System assigned identity status is "ON" now:系统分配的身份状态现在是“ON” :
- Assign system assigned managed identity to existing Virtual Machine, Role Reader :
将系统分配的托管标识分配给现有虚拟机,角色读取器:
Using PowerShell, you may configure identities for the appropriate app roles under App services.使用 PowerShell,您可以在应用服务下为适当的应用角色配置身份。 To work with VMs, use
AzCLI
command az vm identity
to assign the system-assigned identity as shown here:要使用 VM,请使用
AzCLI
命令az vm identity
来分配系统分配的标识,如下所示:
az vm identity assign -g xxxxResourceGroup -n xxxxVirtualMachineName --role Reader --scope /subscriptions/<subscriptionID>/resourceGroups/xxxxRG
Assigned :分配:
Updated:更新:
SID=$(az resource list -n newVM --query [*].identity.principalId --out tsv)
az role assignment create --assignee $SID --role 'Reader' --scope /subscriptions/<subscriptionID>/resourceGroups/xxxxRG/providers/Microsoft.Storage/storageAccounts/<storageaccount>
new-azroleassignment -objectID <ObjectId of group> -Roledefinitionname "Reader" -scope "/subscriptions/<subscriptionID>/resourceGroups/xxxxRG/providers/Microsoft.Storage/storageAccounts/<storageaccount>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.