Assign subscription owner using arm template

huangapple
go评论52阅读模式
英文:

Assign subscription owner using arm template

问题

以下是需要更改的 ARM 模板部分,以便将订阅所有者角色分配给指定的主体 ID:

{
    "properties": {
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/Owner')]",
        "principalId": "[parameters('principalId')]"
    }
}

请注意,上述代码将 roleDefinitionId 设置为 "Owner",这是订阅所有者的角色定义。这将确保你将所需的订阅所有者角色分配给指定的主体 ID。

英文:

What needs to be changed in the arm template below in order for it to add subscription owner role to the given principal id?

The problem we are getting is that the following arm template and invocation command are assigning unintended resource group owner and NOT the desired subscription owner.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "principalId": {
        "type": "string",
        "metadata": {
          "description": "principalId if the user that will be given contributor access to the resourceGroup"
        }
      },
      "roleDefinitionId": {
        "type": "string",
        "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
        "metadata": { "description": "roleDefinition for the assignment - default is owner" }
      }
    },
    "variables": {
      "roleAssignmentName": "[guid(subscription().id, parameters('principalId'), parameters('roleDefinitionId'))]"
    },
    "resources": [
      {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-08-01-preview",
        "name": "[variables('roleAssignmentName')]",
        "properties": {
          "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
          "principalId": "[parameters('principalId')]"
        }
      }
    ]
}

The command we are running to invoke the above template is:

az deployment group create --resource-group myRgName --template-file myTemplateName.json --parameters principalId=<service-principal-id>

The user account that is running the preceding cli command is subscription owner and thus has permissions to assign another subscription owner.

答案1

得分: 1

你正在发起的部署是在资源组范围内进行的,而不是在订阅范围内。

有关“az”命令集的更多信息,请查看此处的文档

有关角色分配的更多信息,请查看此处的文档(查看关于“az deployment sub create”的部分)。

az deployment sub create --location centralus --template-file rbac-test.json --parameters principalId=$objectid builtInRoleType=Reader

英文:

The deployment you are initiating is with a resource group scope, not with a subscription scope.

For more information on the "az" command set, look at the documentation over here.

For more information about the role assignment, take a look at the documentation over here (look at the section about "az deployment sub create").

az deployment sub create --location centralus --template-file rbac-test.json --parameters principalId=$objectid builtInRoleType=Reader

答案2

得分: 0

The problem we are getting is that the following arm template and invocation command are assigning unintended resource group owner and NOT the desired subscription owner.

我們遇到的問題是以下的 ARM 模板和調用命令正在分配非預期的資源群組擁有者,而不是所需的訂閱擁有者。

I have used below ARM template to assign the role to Subscription.

我使用了以下的 ARM 模板來分配角色給 訂閱 (Subscription)

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Owner"
],
"metadata": {
"description": "Built-in role to assign"
}
},
"roleNameGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "A new GUID used to identify the role assignment"
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[parameters('roleNameGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}

Here is the Azure CLI command to assign the owner role to subscription.

以下是將擁有者角色分配給訂閱的 Azure CLI 命令。

$objectid ="user-object-id"
az deployment sub create --location centralus --template-file owner.json --parameters principalId=$objectid builtInRoleType=Owner

Output:

Assign subscription owner using arm template

Reference: Resource group or subscription scope

英文:

> The problem we are getting is that the following arm template and invocation command are assigning unintended resource group owner and NOT the desired subscription owner.

I have used below ARM template to assign the role to Subscription.

 {
"$schema":  "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":  "1.0.0.0",
"parameters":  {
"principalId":  {
"type":  "string",
"metadata":  {
"description":  "The principal to assign the role to"
}
},
"builtInRoleType":  {
"type":  "string",
"allowedValues":  [
"Owner"
],
"metadata":  {
"description":  "Built-in role to assign"
}
},
"roleNameGuid":  {
"type":  "string",
"defaultValue":  "[newGuid()]",
"metadata":  {
"description":  "A new GUID used to identify the role assignment"
}
}
},
"variables":  {
"Owner":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources":  [
{
"type":  "Microsoft.Authorization/roleAssignments",
"apiVersion":  "2022-04-01",
"name":  "[parameters('roleNameGuid')]",
"properties":  {
"roleDefinitionId":  "[variables(parameters('builtInRoleType'))]",
"principalId":  "[parameters('principalId')]"
}
}
]
}

Here is the Azure CLI command to assign the owner role to subscription.

$objectid  ="user-object-id"
az deployment sub create --location centralus --template-file owner.json --parameters principalId=$objectid builtInRoleType=Owner

Output:

Assign subscription owner using arm template

Reference: Resource group or subscription scope

huangapple
  • 本文由 发表于 2023年4月20日 08:42:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/76059764.html
  • azure
  • azure-cli
  • azure-rbac
  • azure-rm-template
  • azure-subscription
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定