使用 Azure CLI 添加或编辑 Azure 角色分配条件

项目
05/06/2024

Azure 角色分配条件是一项额外检查，你可选择将其添加到角色分配中，来提供更精细的访问控制。例如，为了读取对象，你可添加要求对象具有特定标记的条件。本文介绍如何使用 Azure CLI 为角色分配添加、编辑、列出或删除条件。

先决条件

有关添加或编辑角色分配条件的先决条件的信息，请参阅有关条件的先决条件。

添加条件

若要添加角色分配条件，请使用 az role assignment create。 az role assignment create 命令包含以下与条件相关的参数。

参数	类型	说明
`condition`	字符串	可授予用户权限的条件。
`condition-version`	字符串	条件语法的版本。如果指定了 `--condition` 而未指定 `--condition-version`，则版本设为默认值 2.0。

以下示例演示如何使用条件分配存储 Blob 数据读者角色。该条件检查容器名称是否为“blobs-example-container”。

az role assignment create --role "Storage Blob Data Reader" --scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName --assignee "user1@contoso.com" \
--description "Read access if container name equals blobs-example-container" \
--condition "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))" \
--condition-version "2.0"

下面显示了输出示例：

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

编辑条件

若要编辑现有角色分配条件，请使用 az role assignment update 和 JSON 文件作为输入。以下是一个示例 JSON 文件，其中条件和说明已更新。只有 condition、conditionVersion 和 description 属性可以编辑。必须指定所有属性才能更新角色分配条件。

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

使用 az role assignment update 更新角色分配的条件。

az role assignment update --role-assignment "./path/roleassignment.json"

下面显示了输出示例：

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

列出条件

若要列出角色分配条件，请使用 az role assignment list。有关详细信息，请参阅使用 Azure CLI 列出 Azure 角色分配。

删除条件

若要删除角色分配条件，请编辑角色分配条件并将 condition 和 condition-version 属性设置为空字符串 ("") 或 null。

另外，如果想同时删除角色分配和条件，可以使用 az role assignment delete 命令。有关详细信息，请参阅删除 Azure 角色分配。

通过