使用 Azure CLI 添加或编辑 Azure 角色分配条件

Azure 角色分配条件是一项额外检查,你可选择将其添加到角色分配中,来提供更精细的访问控制。 例如,为了读取对象,你可添加要求对象具有特定标记的条件。 本文介绍如何使用 Azure CLI 为角色分配添加、编辑、列出或删除条件。

先决条件

有关添加或编辑角色分配条件的先决条件的信息,请参阅有关条件的先决条件

添加条件

若要添加角色分配条件,请使用 az role assignment createaz role assignment create 命令包含以下与条件相关的参数。

参数 类型 说明
condition 字符串 可授予用户权限的条件。
condition-version 字符串 条件语法的版本。 如果指定了 --condition 而未指定 --condition-version,则版本设为默认值 2.0。

以下示例演示如何使用条件分配存储 Blob 数据读者角色。 该条件检查容器名称是否为“blobs-example-container”。

az role assignment create --role "Storage Blob Data Reader" --scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName --assignee "user1@contoso.com" \
--description "Read access if container name equals blobs-example-container" \
--condition "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))" \
--condition-version "2.0"

下面显示了输出示例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

编辑条件

若要编辑现有角色分配条件,请使用 az role assignment update 和 JSON 文件作为输入。 以下是一个示例 JSON 文件,其中条件和说明已更新。 只有 conditionconditionVersiondescription 属性可以编辑。 必须指定所有属性才能更新角色分配条件。

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

使用 az role assignment update 更新角色分配的条件。

az role assignment update --role-assignment "./path/roleassignment.json"

下面显示了输出示例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

列出条件

若要列出角色分配条件,请使用 az role assignment list。 有关详细信息,请参阅使用 Azure CLI 列出 Azure 角色分配

删除条件

若要删除角色分配条件,请编辑角色分配条件并将 conditioncondition-version 属性设置为空字符串 ("") 或 null

另外,如果想同时删除角色分配和条件,可以使用 az role assignment delete 命令。 有关详细信息,请参阅删除 Azure 角色分配

后续步骤