1
我正在部署一个包含锁的VSTS的ARM模板(在我的情况下锁定在存储帐户对于功能应用程序)VSTS部署失败,“授权失败,因为类型'Microsoft.Storage/storageAccounts/providers/locks'”
{
"parameters": {
"name": {
"type": "string"
},
"storageName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
"apiVersion": "2015-01-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
],
"properties": {
"level": "CannotDelete",
"notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
}
}
]
},...
这只是从VS或从命令行部署我的凭据时正常工作。 但是从VSTS版本定义进行部署时,部署失败:
Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
"error": {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
}
}
当我从模板中删除Microsoft.Storage/storageAccounts/providers/locks
部分,在VSTS的部署工作。但那么存储帐户将不会阻止删除。
通过简单地创建带有锁的存储帐户,您可能会看到相同的错误,而不涉及功能应用程序。我这样做,我会建议改写这个问题,使其更清楚地表明您正在处理纯ARM /存储问题而不是函数问题。至于另一个问题,如果可能的话,远离VSTS。问题越孤立,就越容易推理:) –
感谢@DavidEbbo帮助我解决问题。 –
我成功地能够手动部署,包括带有手动创建的服务主体的锁,我需要将其添加到角色“所有者” - 它没有与角色“Contributor”一起工作,默认情况下,VSTS指派给服务主体。因此,我从VSTS SP中删除了角色“Contributor”,并分配了角色“所有者”。由此,部署甚至可以在VSTS中工作。基于此,对我来说,答案就是完全用VSTS SP来做,因为设置锁显然需要“所有者”权限。 –