VSTS部署失败，“授权失败，因为类型'Microsoft.Storage/storageAccounts/providers/locks'”

我正在部署一个包含锁的VSTS的ARM模板（在我的情况下锁定在存储帐户对于功能应用程序）VSTS部署失败，“授权失败，因为类型'Microsoft.Storage/storageAccounts/providers/locks'”

{ 
    "parameters": { 
     "name": { 
      "type": "string" 
     }, 
     "storageName": { 
      "type": "string" 
     }, 
     "location": { 
      "type": "string" 
     } 
    }, 
    "resources": [ 
     { 
      "apiVersion": "2015-05-01-preview", 
      "type": "Microsoft.Storage/storageAccounts", 
      "name": "[parameters('storageName')]", 
      "location": "[parameters('location')]", 
      "properties": { 
       "accountType": "Standard_LRS" 
      }, 
      "resources": [ 
       { 
        "type": "Microsoft.Storage/storageAccounts/providers/locks", 
        "name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]", 
        "apiVersion": "2015-01-01", 
        "dependsOn": [ 
         "[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]" 
        ], 
        "properties": { 
         "level": "CannotDelete", 
         "notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'." 
        } 
       } 
      ] 
     },...

这只是从VS或从命令行部署我的凭据时正常工作。但是从VSTS版本定义进行部署时，部署失败：

Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{ 
    "error": { 
    "code": "InvalidTemplateDeployment", 
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'." 
    } 
}

当我从模板中删除Microsoft.Storage/storageAccounts/providers/locks部分，在VSTS的部署工作。但那么存储帐户将不会阻止删除。

来源

2016-11-27 Kai Walter

通过简单地创建带有锁的存储帐户，您可能会看到相同的错误，而不涉及功能应用程序。我这样做，我会建议改写这个问题，使其更清楚地表明您正在处理纯ARM /存储问题而不是函数问题。至于另一个问题，如果可能的话，远离VSTS。问题越孤立，就越容易推理:) –

感谢@DavidEbbo帮助我解决问题。 –

我成功地能够手动部署，包括带有手动创建的服务主体的锁，我需要将其添加到角色“所有者” - 它没有与角色“Contributor”一起工作，默认情况下，VSTS指派给服务主体。因此，我从VSTS SP中删除了角色“Contributor”，并分配了角色“所有者”。由此，部署甚至可以在VSTS中工作。基于此，对我来说，答案就是完全用VSTS SP来做，因为设置锁显然需要“所有者”权限。 –

Contributor角色 - 当VSTS在连接到资源组订阅的AAD中创建服务主体时分配的角色 - 不足以放置锁定。分配Owner并且锁定可以与VSTS部署过程一起放置。

来源

2016-12-06 17:26:58

VSTS部署失败，“授权失败，因为类型'Microsoft.Storage/storageAccounts/providers/locks'”

回答

相关问题