[英]Azure ARM role assignment for System Assigned Managed Identity fails the first run
我的目標是部署具有系統托管標識和該標識的角色分配的邏輯應用。 優選地,這是在一個 ARM 模板中完成的。
我的設置第一次運行失敗,但連續運行成功。 如果我錯了,請糾正我,但我認為這樣做的原因是角色分配的部署發生在邏輯應用的托管標識“准備好”之前,因此我第一次部署時出現以下錯誤模板。 我第二次部署模板時沒有收到此錯誤,可能是因為當時身份已經存在。
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "PrincipalNotFound",
"message": "Principal *** does not exist in the directory ***."
}
]
}
我的模板(為簡潔起見,刪除了邏輯應用定義)。 在這種情況下,邏輯應用的標識需要訪問位於另一個資源組中的存儲帳戶。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string"
},
"storageAccountResourceGroup": {
"type": "String"
},
"storageAccountName": {
"type": "String"
}
},
"variables": {
"logicAppResourceId": "[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]",
"Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('logicAppName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
...
}
}
},
{
"type": "Microsoft.Resources/deployments",
"name": "[concat('RoleAssignment-', parameters('logicAppName'))]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('storageAccountResourceGroup')]",
"subscriptionId": "[subscription().subscriptionId]",
"dependsOn": [
"[parameters('logicAppName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-09-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, parameters('logicAppName')))]",
"properties": {
"roleDefinitionId": "[variables('Storage Blob Data Contributor')]",
"principalId": "[reference(variables('logicAppResourceId'), '2019-05-01', 'Full').identity.principalId]"
}
}
]
}
}
}
]
}
正如您在模板中看到的,我在邏輯應用本身上添加了一個dependsOn。 然而,這似乎還不夠。
有人對此有解決方案嗎?
謝謝!
添加"principalType": "ServicePrincipal"后,部署工作始終如一
具有系統分配的托管標識的 Azure VMSS 的新部署失敗
[英]New deployment of Azure VMSS with system assigned Managed identity fails
如何使用 terraform 在系統分配的身份上添加角色分配?
[英]How to add role assignment on System Assigned Identity using terraform?
部署使用系統分配的托管標識的 azure 函數應用
[英]deploying azure function app that uses a system assigned managed identity
無法通過 Azure 運行手冊將角色分配給用戶分配的身份
[英]Unable to assign a role to user assigned identity through Azure Run books
從 Azure 應用服務連接到 Azure Sql 數據庫適用於系統分配但不是用戶分配的托管標識
[英]Connecting from Azure App Service to Azure Sql Database works for System Assigned but not User Assigned managed identity
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.