如何将服务总线实体上的正确角色分配给使用Bicep管理身份的Azure函数?

af7jpaap  于 12个月前  发布在  其他
关注(0)|答案(2)|浏览(146)

我有一个Azure Functions项目,其中一个Function使用服务总线绑定(用于侦听订阅并发送到主题)。
Azure Functions部署正在托管标识下运行。由于我们希望使用Azure Bicep自动部署所有内容,因此我希望在Azure Bicep文件中为该托管标识自动给予服务总线命名空间(或实体)上的正确角色分配。
但是我似乎不知道如何做到这一点。是否有人能够指出正确的二头肌片段,以在服务总线实体上为特定的托管身份创建角色分配Azure Service Bus Data ReceiverAzure Service Bus Data Sender
(and甚至更好:我怎么能找到,为自己,知道我是相当新的二头肌)
问候

Azure

2条答案

按热度按时间
iqxoj9l9

iqxoj9l91#

使用Bicep创建RBAC的文档可以在here中找到。
Azure内置角色可在此处找到
因此,对于服务总线和托管身份,您可以创建一个类似于以下内容的模块

// servicebus-role-assignment.bicep

param serviceBusName string
param principalId string

@allowed([
  '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver
  '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // Azure Service Bus Data Sender
])
param roleId string

// Get a reference to servicebus namespace
resource servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {
  name: serviceBusName
}

// Grant permissions to the principalID to specific role to servicebus
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(servicebus.id, roleId, principalId)
  scope: servicebus
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

字符串
如果您使用的是用户分配的标识,则可以在标识创建后调用此模块:

param location string = resourceGroup().location
param identityName string
param serviceBusName string

// Create the identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
  name: identityName
  location:location
}

// Do the role assignment
module serviceBusRoleAssignment 'servicebus-role-assignment.bicep' = {
  name: 'servicebus-role-assignment'
  params: {
    serviceBusName: serviceBusName
    roleId: '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver    
    principalId: identity.properties.principalId
  }
}


如果您使用的是系统分配的身份,则需要首先创建函数app:

param location string = resourceGroup().location
param functionAppName string
param serviceBusName string
...

// Create the function app
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
  name: functionAppName
  identity: {
    type: 'SystemAssigned'
  }
  ...
}

// Do the role assignment
module serviceBusRoleAssignment 'servicebus-role-assignment.bicep' = {
  name: 'servicebus-role-assignment'
  params: {
    serviceBusName: serviceBusName
    roleId: '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Azure Service Bus Data Receiver    
    principalId: functionApp.identity.principalId
  }
}

赞(0)分享  回复(0)举报  12个月前
ckocjqey

ckocjqey2#

如果您想在服务总线主题级别(或队列级别)分配角色,可以通过使用模块和scope关键字来完成。
下面的示例为使用系统标识创建的Web应用程序的服务总线主题分配Azure服务总线对象角色。服务总线对象空间及其子资源主题位于不同的资源组中。Web应用程序是通过“az deployment group”命令部署的另一个资源组。
main.bicep:

// Assign RBAC role to Service Bus Topic - Use modules if you want to deploy an extension resource (the role assignment is an extension resource type) 
// with the scope set to a resource in a different resource group, see more here https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scope-extension-resources
    module roleAssignmentModule 'Modules/roleAssignments.bicep' = {
      name: 'roleAssignmentsModule' // Azure Portal Deployments Inputs and Outputs shown under RG that contains the Service Bus Names
      scope: resourceGroup(differentResourceGroupName)
      params: {
        webAppPrincipalId: webAppPrincipalId
        serviceBusName: serviceBusName
        serviceBusTopicName: serviceBusTopicName
      }
    }

字符串
roleAssignments.bicep:

@description('The principalId of the WebApp that will be used in role assignment')
    param webAppPrincipalId  string
    
    @description('Service Bus Namespace that contains the Service Bus Topic where RBAC role will be assigned to')
    param serviceBusName string
    
    @description('Service Bus Topic name where RBAC role will be assigned to')
    param serviceBusTopicName string
    
    @description('This is the built-in Azure Service Bus Data Sender role. See https://learn.microsoft.com/en-gb/azure/role-based-access-control/built-in-roles#azure-service-bus-data-sender')
    resource azureServiceBusDataSenderRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
      scope: subscription()
      name: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // 'Azure Service Bus Data Sender' Azure built-in role
    }
    
    
    // Reference to an existing Service Bus Namespace resource
    resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-11-01' existing = {
      name: serviceBusName
    }
    
    // Get a reference to an existing Service Bus Topic
    resource serviceBusTopic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' existing = {
      name: serviceBusTopicName
      parent: serviceBusNamespace
    }
    
    // Assign RBAC role 'Azure Service Bus Data Sender' to the Service Bus Topic
    resource roleAssignment_AzureServiceBusDataSender 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
      name: guid(subscription().id, webAppPrincipalId, serviceBusTopic.id, azureServiceBusDataSenderRoleDefinition.id) 
      scope: serviceBusTopic  // Role is assigned at the Topic level. If scope property is omitted, then role is assigned at the Service Bus Namespace level and inherited to all child Topics. We don't want that
      properties: {
        principalId: webAppPrincipalId
        roleDefinitionId: azureServiceBusDataSenderRoleDefinition.id 
        principalType: 'ServicePrincipal' 
      }
    }

赞(0)分享  回复(0)举报  12个月前
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com