我可以在连接到Azure时更改github角色吗？

我第一次尝试使用Azure和github操作创建ARM模板。我遵循了创建服务主体和分配github贡献者角色的所有步骤。
我创建了我的第一个模板，目标是登录到Azure（成功）并创建一个存储帐户，但由于执行授权失败错误而失败。这是我得到的警告：
警告：错误：***“code”：“AuthorizationFailed”，“message”：“对象ID为'3b 1f 7136 - 28 ea-48 bf-8 cde-9417317 fa 987'的客户端'3b 1f 7136 - 28 ea-48 bf-8 cde-9417317 fa 987'无权在作用域'/订阅/***'上执行操作'Microsoft.Resources/deployments/validate/action'，或者作用域无效。如果最近授予了访问权限，请刷新凭据。"***
失败的原因是显而易见的，但是，不明显的是要修复它。Github角色当前被分配给资源组;是否也需要将其分配给订阅？如果是，如何将其分配给订阅级别？
尝试找出如何将角色分配给订阅的方法

我使用Service Principal和Github操作部署了Azure存储帐户，如下所示：-
我的git仓库：-

我使用此链接中的以下命令-Deploy Resource Manager templates by using GitHub Actions - Azure Resource Manager | Microsoft Learn创建了一个在订阅级别分配了RBAC Contributor角色的服务主体：-
命令：-

az ad sp create-for-rbac --name "myML" --role contributor \
                            --scopes /subscriptions/<subscription-id>\
                            --sdk-auth

输出：-

复制了我的Github Actions Secrets中的json输出，如下所示：-

我使用下面的ARM模板创建了一个存储帐户：

azuredeploy.json

"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",   "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.13.1.58284",
      "templateHash": "13120038605368246703"
    }   },   "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Premium_LRS",
        "Premium_ZRS",
        "Standard_GRS",
        "Standard_GZRS",
        "Standard_LRS",
        "Standard_RAGRS",
        "Standard_RAGZRS",
        "Standard_ZRS"
      ],
      "metadata": {
        "description": "Storage Account type"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The storage account location."
      }
    },
    "storageAccountName": {
      "type": "string",
      "defaultValue": "[format('store{0}', uniqueString(resourceGroup().id))]",
      "metadata": {
        "description": "The name of the storage account"
      }
    }   },   "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "StorageV2",
      "properties": {}
    }   ],   "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[parameters('storageAccountName')]"
    },
    "storageAccountId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
    }   } }

以上代码参考：-

https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json

我的github action YML脚本：-
将资源组名称替换为要在其中创建存储帐户的现有资源组。
main.yml

on: [push]
name: Azure ARM
jobs:
    build-and-deploy:
      runs-on: ubuntu-latest
      steps:

        # Checkout code
      - uses: actions/checkout@main

        # Log into Azure
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

        # Deploy ARM template
      - name: Deploy ARM template
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
          resourceGroupName: siliconrg
          template: ./azuredeploy.json
          parameters: storageAccountType=Standard_LRS

        # output containerName variable from template
      - run: echo ${{ steps.deploy.outputs.containerName }}

Github操作成功运行，如下所示：-

在Azure门户中创建了存储帐户：-

参考文献：-

Exercise - Deploy ARM templates as part of your CI/CD efforts with GitHub Actions - Training | Microsoft Learn

我可以在连接到Azure时更改github角色吗？

1条答案

相关问题

热门标签

最新问答