GitHub动作,使用Microsoft部署ARM模板。
我一直在尝试通过GitHub动作部署ARM模板,无论我尝试过什么,都会不断陷入相同的问题:
授权因模板资源的授权'...' ' microsoft.authorization/roleassignments '。客户'...'与 对象ID'...'无权执行操作 ' microsoft.authorization/roleassignments/write '在范围内 '/订阅/***/resourceGroups/ds-rgc/provers/microsoft.storage/ storageaccounts/mystorageName /providers/microsoft.authorization/roleassignments/roleassignments/.......'
'不要以为它与github有任何关系,但是与我创建的应用程序...:
我注册了一个使用Azure应用程序注册的应用程序,创建了一个秘密并最终使用凭据对象:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
}
我补充说,作为Github的秘密,通过操作测试了登录,一切都很好。仅当我尝试在ARM模板中分配角色时,问题才出现。
值得一提的是,相同的模板具有正确的角色分配 从Azure自定义部署中运行。
这已经花费了几个小时,但老实说,我找不到一种提升的方法该应用程序的权限并添加“ Microsoft.gurosoft.authorization/roleassignments/Write'权限或“用户访问管理员”角色...
有什么想法吗?
i ve been trying to deploy an ARM template with Github Actions and keep falling into the same problem no matter what I tried:
Authorization failed for template resource '...' of type
'Microsoft.Authorization/roleAssignments'. The client '...' with
object id '...' does not have permission to perform action
'Microsoft.Authorization/roleAssignments/write' at scope
'/subscriptions/***/resourceGroups/ds-rgc/providers/Microsoft.Storage/storageAccounts/myStorageName/providers/Microsoft.Authorization/roleAssignments/...'
The failure reason is obvious and I don't think it has anything to do with Github but with the application I created...:
I registered an app with Azure App Registration, created a secret and end up with the credentials object:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
}
I added that as a secret in Github, tested the login with an action and everything worked great. The problem appeared only when I tried to assign roles in the ARM template.
Worth mentioning that the same template with the correct role assignments runs perfectly from Azure Custom deployment.
This cost me a few hours already, but honestly I cannot find a way to elevate the permissions of the app and add 'Microsoft.Authorization/roleAssignments/write' permission or the 'User Access Administrator' role...
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看来我太累了...
我不得不去
订阅(因为那是我的模板的范围)&gt;访问控制(IAM)&gt;添加角色分配&gt;查找用户访问管理员&gt;单击NEXT&gt;选择用户,组或服务主体&gt;单击+选择成员&gt;键入应用名称&gt;从列表中选择它&gt;单击选择,然后评论 +分配。完毕...
It seems I was too tired...
I had to go my
Subscription(because that was the scope of my template) >Access control (IAM)>Add role assignment> findUser Access Administrator> clickNext> selectUser, group, or service principal> click+Select members> type the apps name > select it from the list > clickSelectand thenReview + Assign.Done...