快速入门:使用 ARM 模板添加 Azure 角色分配Quickstart: Add an Azure role assignment using an ARM template

可以通过 Azure 基于角色的访问控制 (Azure RBAC) 管理对 Azure 资源的访问权限。Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. 在本快速入门中,你将创建资源组并授予用户在资源组中创建和管理虚拟机的访问权限。In this quickstart, you create a resource group and grant a user access to create and manage virtual machines in the resource group. 本快速入门使用 Azure 资源管理器模板(ARM 模板)授予访问权限。This quickstart uses an Azure Resource Manager template (ARM template) to grant the access.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure 门户中会打开模板。The template will open in the Azure portal.

部署到 AzureDeploy to Azure

先决条件Prerequisites

若要添加角色分配,必须具有:To add role assignments, you must have:

  • 如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.
  • Microsoft.Authorization/roleAssignments/writeMicrosoft.Authorization/roleAssignments/delete 权限,例如用户访问管理员所有者Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner
  • 若要添加角色分配,必须指定三个要素:安全主体、角色订阅和范围。To add a role assignment, you must specify three elements: security principal, role definition, and scope. 在本快速入门中,安全主体是你或目录中的其他用户,角色定义是虚拟机参与者,范围是指定的资源组。For this quickstart, the security principal is you or another user in your directory, the role definition is Virtual Machine Contributor, and the scope is a resource group that you specify.

查看模板Review the template

本快速入门中使用的模板来自 Azure 快速启动模板The template used in this quickstart is from Azure Quickstart Templates. 该模板具有三个参数和资源部分。The template has three parameters and a resources section. 请注意,资源部分包含角色分配的三个要素:安全主体、角色定义和作用域。In the resources section, notice that it has the three elements of a role assignment: security principal, role definition, and scope.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "roleAssignmentName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the role assignment to create. It can be any valid GUID."
      }      
    },
    "roleDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the role definition ID used in the role assignment."
      }      
    },
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "Specifies the principal ID assigned to the role."
      }      
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2017-09-01",
      "name": "[parameters('roleAssignmentName')]",
      "properties": {
        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceGroup().id]"
      }
    }
  ]
}

该模板中定义了以下资源:The resource defined in the template is:

部署模板Deploy the template

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 确定与 Azure 订阅关联的电子邮件地址。Determine your email address that is associated with your Azure subscription. 或确定目录中其他用户的电子邮件地址。Or determine the email address of another user in your directory.

  3. 将以下脚本复制并粘贴到 PowerShell 中。Copy and paste the following script into PowerShell.

    $resourceGroupName = Read-Host -Prompt "Enter a resource group name (i.e. ExampleGrouprg)"
    $emailAddress = Read-Host -Prompt "Enter an email address for a user in your directory"
    $location = Read-Host -Prompt "Enter a location (i.e. chinanorth)"
    
    $roleAssignmentName = New-Guid
    $principalId = (Get-AzAdUser -Mail $emailAddress).id
    $roleDefinitionId = (Get-AzRoleDefinition -name "Virtual Machine Contributor").id
    $templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-rbac-builtinrole-resourcegroup/azuredeploy.json"
    
    New-AzResourceGroup -Name $resourceGroupName -Location $location
    New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -roleAssignmentName $roleAssignmentName -roleDefinitionID $roleDefinitionId -principalId $principalId
    
  4. 输入资源组名称,例如 ExampleGrouprg。Enter a resource group name such as ExampleGrouprg.

  5. 输入自己的电子邮件地址或目录中其他用户的电子邮件地址。Enter an email address for yourself or another user in your directory.

  6. 输入资源组的位置,例如 chinanorth。Enter a location for the resource group such as chinanorth.

  7. 如有必要,请按 Enter 运行 New-AzResourceGroupDeployment 命令。If necessary, press Enter to run the New-AzResourceGroupDeployment command.

    New-AzResourceGroup 命令创建新的资源组,New-AzResourceGroupDeployment 命令部署模板以添加角色分配。The New-AzResourceGroup command creates a new resource group and the New-AzResourceGroupDeployment command deploys the template to add the role assignment.

    应该会看到与下面类似的输出:You should see output similar to the following:

    PS> New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -roleAssignmentName $roleAssignmentName -roleDefinitionID $roleDefinitionId -principalId $principalId
    
    DeploymentName          : azuredeploy
    ResourceGroupName       : ExampleGrouprg
    ProvisioningState       : Succeeded
    Timestamp               : 5/22/2020 9:01:30 PM
    Mode                    : Incremental
    TemplateLink            :
                              Uri            : https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-rbac-builtinrole-resourcegroup/azuredeploy.json
                              ContentVersion : 1.0.0.0
    
    Parameters              :
                              Name                  Type                       Value
                              ====================  =========================  ==========
                              roleAssignmentName    String                     {roleAssignmentName}
                              roleDefinitionID      String                     9980e02c-c2be-4d73-94e8-173b1dc7cf3c
                              principalId           String                     {principalId}
    
    Outputs                 :
    DeploymentDebugLogLevel :
    

查看已部署的资源Review deployed resources

  1. 在 Azure 门户中打开创建的资源组。In the Azure portal, open the resource group you created.

  2. 在左侧菜单中,单击“访问控制(IAM)”。In the left menu, click Access control (IAM).

  3. 单击“角色分配”选项卡。Click the Role assignments tab.

  4. 验证是否已将“虚拟机参与者”角色分配给指定的用户。Verify that the Virtual Machine Contributor role is assigned to the user you specified.

    新建角色分配

清理资源Clean up resources

若要删除创建的角色分配和资源组,请执行以下步骤。To remove the role assignment and resource group you created, follow these steps.

  1. 将以下脚本复制并粘贴到 PowerShell 中。Copy and paste the following script into powershell.

    $emailAddress = Read-Host -Prompt "Enter the email address of the user with the role assignment to remove"
    $resourceGroupName = Read-Host -Prompt "Enter the resource group name to remove (i.e. ExampleGrouprg)"
    
    $principalId = (Get-AzAdUser -Mail $emailAddress).id
    
    Remove-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName $resourceGroupName
    Remove-AzResourceGroup -Name $resourceGroupName
    
  2. 输入用户的电子邮件地址,其中包含要删除的角色分配。Enter the email address of the user with the role assignment to remove.

  3. 输入要删除的资源组名称,如 ExampleGrouprg。Enter the resource group name to remove such as ExampleGrouprg.

  4. 如有必要,请按 Enter 运行 Remove-AzResourceGroup command 命令。If necessary, press Enter to run the Remove-AzResourceGroup command.

  5. 输入“Y”以确认要删除该资源组。Enter Y to confirm that you want to remove the resource group.

后续步骤Next steps