使用 Azure 资源管理器模板创建 Azure 自定义角色Create an Azure custom role using an Azure Resource Manager template

如果 Azure 内置角色不满足组织的特定需求,你可以创建自己的自定义角色If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. 本文介绍如何使用 Azure 资源管理器模板创建自定义角色。This article describes how to create a custom role using an Azure Resource Manager template.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

先决条件Prerequisites

若要创建自定义角色,必须:To create a custom role, you must have:

创建自定义角色Create a custom role

若要创建自定义角色,请指定角色名称、权限以及可使用角色的位置。To create a custom role, you specify a role name, permissions, and where the role can be used. 在本文中,你将创建一个名为“自定义角色 - RG 读者”的角色,其资源权限可在订阅或更低层次的范围内分配。In this article, you create a role named "Custom Role - RG Reader" with resource permissions that can be assigned at a subscription scope or lower.

查看模板Review the template

本文中使用的模板来自 Azure 快速入门模板The template used in this article is from Azure Quickstart Templates. 该模板具有四个参数和一个资源部分。The template has four parameters and a resources section. 这四个参数为:The four parameters are:

  • 操作数组,默认值为 ["Microsoft.Resources/subscriptions/resourceGroups/read"]Array of actions with a default value of ["Microsoft.Resources/subscriptions/resourceGroups/read"]
  • notActions 数组,默认值为空Array of notActions with an empty default value
  • 角色名称,默认值为“自定义角色 - RG 读者”Role name with a default value of "Custom Role - RG Reader"
  • 角色说明,默认值为“角色定义的订阅级别部署”Role description with a default value of "Subscription Level Deployment of a Role Definition"

该模板中定义了以下资源:The resource defined in the template is:

  • Microsoft.Authorization/roleDefinitionsMicrosoft.Authorization/roleDefinitions

将可分配此自定义角色的范围设置为当前订阅。The scope where this custom role can be assigned is set to the current subscription.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "actions": {
      "type": "array",
      "defaultValue": [
         "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "metadata": {
        "description": "Array of actions for the roleDefinition"
      }
    },
    "notActions": {
      "type": "array",
      "defaultValue": [ ],
      "metadata": {
        "description": "Array of notActions for the roleDefinition"
      }
    },
    "roleName": {
      "type": "string",
      "defaultValue": "Custom Role - RG Reader",
      "metadata": {
        "description": "Friendly name of the role definition"
      }
    },
    "roleDescription": {
      "type": "string",
      "defaultValue": "Subscription Level Deployment of a Role Definition",
      "metadata": {
        "description": "Detailed description of the role definition"
      }
    }
  },
  "variables":{
    "roleDefName": "[guid(subscription().id, string(parameters('actions')), string(parameters('notActions')))]"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-07-01",
      "name": "[variables('roleDefName')]",
      "properties": {
        "roleName": "[parameters('roleName')]",
        "description": "[parameters('roleDescription')]",
        "type": "customRole",
        "isCustom": true,
        "permissions": [
          {
            "actions": "[parameters('actions')]",
            "notActions": "[parameters('notActions')]"
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ]
}

部署模板Deploy the template

请遵照以下步骤部署上一模板。Follow these steps to deploy the previous template.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 打开 PowerShell。Open PowerShell. 登录到你的订阅,然后复制并粘贴以下脚本。Login with your subscription then copy and paste the following script.

    $location = Read-Host -Prompt "Enter a location (i.e. chinanorth)"
    [string[]]$actions = Read-Host -Prompt "Enter actions as a comma-separated list (i.e. action1,action2)"
    $actions = $actions.Split(',')
    
    $templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/create-role-def/azuredeploy.json"
    
    New-AzDeployment -Location $location -TemplateUri $templateUri -actions $actions
    
  3. 输入部署的位置,例如 chinanorth。Enter a location for the deployment such as chinanorth.

  4. 以逗号分隔列表的形式输入自定义角色的操作列表,如 Microsoft.Resources/resources/read,Microsoft.Resources/subscriptions/resourceGroups/read。Enter a list of actions for the custom role as a comma-separated list such as Microsoft.Resources/resources/read,Microsoft.Resources/subscriptions/resourceGroups/read.

  5. 如有必要,请按 Enter 运行 New-AzDeployment 命令。If necessary, press Enter to run the New-AzDeployment command.

    New-AzDeployment 命令部署模板来创建自定义角色。The New-AzDeployment command deploys the template to create the custom role.

    会得到类似于下面的输出:You should see output similar to the following:

    PS> New-AzDeployment -Location $location -TemplateUri $templateUri -actions $actions
    
    Id                      : /subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/azuredeploy
    DeploymentName          : azuredeploy
    Location                : chinanorth
    ProvisioningState       : Succeeded
    Timestamp               : 6/25/2020 8:08:32 PM
    Mode                    : Incremental
    TemplateLink            :
                              Uri            : https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/create-role-def/azuredeploy.json
                              ContentVersion : 1.0.0.0
    
    Parameters              :
                              Name               Type                       Value
                              =================  =========================  ==========
                              actions            Array                      [
                                "Microsoft.Resources/resources/read",
                                "Microsoft.Resources/subscriptions/resourceGroups/read"
                              ]
                              notActions         Array                      []
                              roleName           String                     Custom Role - RG Reader
                              roleDescription    String                     Subscription Level Deployment of a Role Definition
    
    Outputs                 :
    DeploymentDebugLogLevel :
    

查看已部署的资源Review deployed resources

按照以下步骤验证是否已创建自定义角色。Follow these steps to verify that the custom role was created.

  1. 运行 Get-AzRoleDefinition 命令以列出自定义角色。Run the Get-AzRoleDefinition command to list the custom role.

    Get-AzRoleDefinition "Custom Role - RG Reader" | ConvertTo-Json
    

    应该会看到与下面类似的输出:You should see output similar to the following:

    {
      "Name": "Custom Role - RG Reader",
      "Id": "11111111-1111-1111-1111-111111111111",
      "IsCustom": true,
      "Description": "Subscription Level Deployment of a Role Definition",
      "Actions": [
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/{subscriptionId}"
      ]
    }
    
  2. 在 Azure 门户中,打开你的订阅。In the Azure portal, open your subscription.

  3. 在左侧菜单中,单击“访问控制(IAM)”。In the left menu, click Access control (IAM).

  4. 单击“角色”选项卡。Click the Roles tab.

  5. 将“类型”列表设置为 CustomRole 。Set the Type list to CustomRole.

  6. 验证是否列出了“自定义角色 - RG 读者”角色。Verify that the Custom Role - RG Reader role is listed.

    在 Azure 门户中新建自定义角色

清理资源Clean up resources

若要删除自定义角色,请按照以下步骤操作。To remove the custom role, follow these steps.

  1. 运行以下命令以删除自定义角色。Run the following command to remove the custom role.

    Get-AzRoleDefinition -Name "Custom Role - RG Reader" | Remove-AzRoleDefinition
    
  2. 输入“Y”以确认要删除该自定义角色。Enter Y to confirm that you want to remove the custom role.

后续步骤Next steps