使用 Azure CLI 分配 Azure 角色Assign Azure roles using Azure CLI

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure CLI 分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure CLI.

先决条件Prerequisites

若要分配角色,必须具有:To assign roles, you must have:

分配 Azure 角色的步骤Steps to assign an Azure role

角色分配包含三个要素:安全主体、角色订阅和范围。To assign a role consists of three elements: security principal, role definition, and scope.

步骤 1:确定谁需要访问权限Step 1: Determine who needs access

可以将角色分配到用户、组、服务主体或托管标识。You can assign a role to a user, group, service principal, or managed identity. 若要分配角色,可能需要指定对象的唯一 ID。To assign a role, you might need to specify the unique ID of the object. ID 的格式为:11111111-1111-1111-1111-111111111111The ID has the format: 11111111-1111-1111-1111-111111111111. 可以使用 Azure 门户或 Azure CLI 获取 ID。You can get the ID using the Azure portal or Azure CLI.

UserUser

对于 Azure AD 用户,请获取用户主体名称(例如 patlong@contoso.com)或用户对象 ID。For an Azure AD user, get the user principal name, such as patlong@contoso.com or the user object ID. 若要获取对象 ID,可以使用 az ad user showTo get the object ID, you can use az ad user show.

az ad user show --id "{principalName}" --query "objectId" --output tsv

Group

对于 Azure AD 组,你需要组对象 ID。For an Azure AD group, you need the group object ID. 若要获取对象 ID,可以使用 az ad group showaz ad group listTo get the object ID, you can use az ad group show or az ad group list.

az ad group show --group "{groupName}" --query "objectId" --output tsv

服务主体Service principal

对于 Azure AD 服务主体(应用程序使用的标识),你需要服务主体对象 ID。For an Azure AD service principal (identity used by an application), you need the service principal object ID. 若要获取对象 ID,可以使用 az ad sp listTo get the object ID, you can use az ad sp list. 对于服务主体,使用对象 ID,而不是应用程序 ID。For a service principal, use the object ID and not the application ID.

az ad sp list --all --query "[].{displayName:displayName, objectId:objectId}" --output tsv
az ad sp list --display-name "{displayName}"

托管的标识Managed identity

对于系统分配的或用户分配的托管标识,你需要对象 ID。For a system-assigned or a user-assigned managed identity, you need the object ID. 若要获取对象 ID,可以使用 az ad sp listTo get the object ID, you can use az ad sp list.

az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'"

若要仅列出用户分配的托管标识,可以使用 az identity listTo just list user-assigned managed identities, you can use az identity list.

az identity list

步骤 2:选择合适的角色Step 2: Select the appropriate role

权限组合成角色。Permissions are grouped together into roles. 可以从包含多个 Azure 内置角色的列表中选择,也可以使用自己的自定义角色。You can select from a list of several Azure built-in roles or you can use your own custom roles. 最佳做法是以所需的最少权限授予访问权限,因此避免分配范围更广泛的角色。It's a best practice to grant access with the least privilege that is needed, so avoid assigning a broader role.

若要列出角色并获取唯一的角色 ID,可以使用 az role definition listTo list roles and get the unique role ID, you can use az role definition list.

az role definition list --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv

下面介绍了如何列出特定角色的详细信息。Here's how to list the details of a particular role.

az role definition list --name "{roleName}"

有关详细信息,请参阅列出 Azure 角色定义For more information, see List Azure role definitions.

步骤 3:识别所需的范围Step 3: Identify the needed scope

Azure 提供四个级别的范围:资源、资源组、订阅,以及管理组Azure provides four levels of scope: resource, resource group, subscription, and management group. 最佳做法是以所需的最少权限授予访问权限,因此避免在更广泛的范围分配角色。It's a best practice to grant access with the least privilege that is needed, so avoid assigning a role at a broader scope. 有关范围的详细信息,请参阅了解范围For more information about scope, see Understand scope.

资源范围Resource scope

对于资源范围,你需要资源的资源 ID。For resource scope, you need the resource ID for the resource. 可以通过在 Azure 门户中查看资源的属性来找到资源 ID。You can find the resource ID by looking at the properties of the resource in the Azure portal. 资源 ID 采用以下格式。A resource ID has the following format.

/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{providerName}/{resourceType}/{resourceSubType}/{resourceName}

资源组范围Resource group scope

对于资源组范围,你需要资源组的名称。For resource group scope, you need the name of the resource group. 可以在 Azure 门户的 “资源组” 页上找到此名称,也可以使用 az group listYou can find the name on the Resource groups page in the Azure portal or you can use az group list.

az group list --query "[].{name:name}" --output tsv

订阅范围Subscription scope

对于订阅范围,你需要订阅 ID。For subscription scope, you need the subscription ID. 可以在 Azure 门户中的“订阅”页上找到 ID,也可以使用 az account listYou can find the ID on the Subscriptions page in the Azure portal or you can use az account list.

az account list --query "[].{name:name, id:id}" --output tsv

管理组范围Management group scope

对于管理组范围,你需要管理组名称。For management group scope, you need the management group name. 可以在 Azure 门户中的“管理组”页面上找到此名称,也可以使用 az account management-group listYou can find the name on the Management groups page in the Azure portal or you can use az account management-group list.

az account management-group list --query "[].{name:name, id:id}" --output tsv

步骤 4:分配角色Step 4: Assign role

若要分配角色,请使用 az role assignment create 命令。To assign a role, use the az role assignment create command. 根据范围,命令通常采用以下格式之一。Depending on the scope, the command typically has one of the following formats.

资源范围Resource scope

az role assignment create --assignee "{assignee}" \
--role "{roleNameOrId}" \
--scope "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{providerName}/{resourceType}/{resourceSubType}/{resourceName}"

资源组范围Resource group scope

az role assignment create --assignee "{assignee}" \
--role "{roleNameOrId}" \
--resource-group "{resourceGroupName}"

订阅范围Subscription scope

az role assignment create --assignee "{assignee}" \
--role "{roleNameOrId}" \
--subscription "{subscriptionNameOrId}"

管理组范围Management group scope

az role assignment create --assignee "{assignee}" \
--role "{roleNameOrId}" \
--scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}"

下面显示了在资源组范围内将虚拟机参与者角色分配给用户时的输出示例。The following shows an example of the output when you assign the Virtual Machine Contributor role to a user at a resource group scope.

{
  "canDelegate": null,
  "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
  "name": "{roleAssignmentId}",
  "principalId": "{principalId}",
  "principalType": "User",
  "resourceGroup": "{resourceGroupName}",
  "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
  "type": "Microsoft.Authorization/roleAssignments"
}

分配角色示例Assign role examples

为存储帐户资源范围中的所有 blob 容器分配角色Assign a role for all blob containers in a storage account resource scope

在名为 storage12345 的存储帐户的资源范围内将存储 Blob 数据参与者角色分配给对象 ID 为 55555555-5555-5555-5555-555555555555 的服务主体。Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 at a resource scope for a storage account named storage12345.

az role assignment create --assignee "55555555-5555-5555-5555-555555555555" \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/storage12345"

为特定 blob 容器资源范围分配角色Assign a role for a specific blob container resource scope

在名为 blob-container-01 的 blob 容器的资源范围内将存储 Blob 数据参与者角色分配给对象 ID 为 55555555-5555-5555-5555-555555555555 的服务主体。Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 at a resource scope for a blob container named blob-container-01.

az role assignment create --assignee "55555555-5555-5555-5555-555555555555" \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/storage12345/blobServices/default/containers/blob-container-01"

为特定虚拟网络资源范围内的某个组分配角色Assign a role for a group in a specific virtual network resource scope

虚拟机参与者角色分配给名为 pharma-sales-project-network 的虚拟网络的资源范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组。Assigns the Virtual Machine Contributor role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a resource scope for a virtual network named pharma-sales-project-network.

az role assignment create --assignee "22222222-2222-2222-2222-222222222222" \
--role "Virtual Machine Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/pharma-sales/providers/Microsoft.Network/virtualNetworks/pharma-sales-project-network"

在资源组范围内为某个用户分配角色Assign a role for a user at a resource group scope

pharma-sales 资源组范围内将 虚拟机参与者角色分配给 patlong@contoso.com 用户。Assigns the Virtual Machine Contributor role to patlong@contoso.com user at the pharma-sales resource group scope.

az role assignment create --assignee "patlong@contoso.com" \
--role "Virtual Machine Contributor" \
--resource-group "pharma-sales"

在资源组范围内使用唯一角色 ID 为某个用户分配角色Assign a role for a user using the unique role ID at a resource group scope

很多时候角色名称可能会更改,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,你决定更改名称。You are using your own custom role and you decide to change the name.
  • 你使用的是预览版角色,其名称中有“(预览)”字样。You are using a preview role that has (Preview) in the name. 发布角色时重命名了角色。When the role is released, the role is renamed.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果使用脚本或自动化来创建角色分配,最佳做法是使用唯一的角色 ID 而非角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 这样一来,即使角色重命名,脚本仍可以使用。Therefore, if a role is renamed, your scripts are more likely to work.

以下示例将 “虚拟机参与者”角色分配给 pharma-sales 资源组范围内的 patlong@contoso.com 用户。The following example assigns the Virtual Machine Contributor role to the patlong@contoso.com user at the pharma-sales resource group scope.

az role assignment create --assignee "patlong@contoso.com" \
--role "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" \
--resource-group "pharma-sales"

在资源组范围内为所有 blob 容器分配角色Assign a role for all blob containers at a resource group scope

在 Example-Storage-rg 资源组范围内将存储 Blob 数据参与者角色分配给对象 ID 为 55555555-5555-5555-5555-555555555555 的服务主体。Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 at the Example-Storage-rg resource group scope.

az role assignment create --assignee "55555555-5555-5555-5555-555555555555" \
--role "Storage Blob Data Contributor" \
--resource-group "Example-Storage-rg"

另外,也可以使用 --scope 参数来指定完全限定的资源组:Alternately, you can specify the fully qualified resource group with the --scope parameter:

az role assignment create --assignee "55555555-5555-5555-5555-555555555555" \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg"

在资源组范围内为某个应用程序分配角色Assign a role for an application at a resource group scope

在 pharma-sales 资源组范围内将虚拟机参与者角色分配给服务主体对象 ID 为 44444444-4444-4444-4444-444444444444 的应用程序。Assigns the Virtual Machine Contributor role to an application with service principal object ID 44444444-4444-4444-4444-444444444444 at the pharma-sales resource group scope.

az role assignment create --assignee "44444444-4444-4444-4444-444444444444" \
--role "Virtual Machine Contributor" \
--resource-group "pharma-sales"

在资源组范围内为某个新的服务主体分配角色Assign a role for a new service principal at a resource group scope

如果创建新的服务主体并立即尝试将角色分配给该服务主体,则在某些情况下该角色分配可能会失败。If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. 例如,如果使用脚本创建新的托管标识,然后尝试将角色分配给该服务主体,则角色分配可能会失败。For example, if you use a script to create a new managed identity and then try to assign a role to that service principal, the role assignment might fail. 此失败的原因可能是复制延迟。The reason for this failure is likely a replication delay. 服务主体是在一个区域中创建的;但是,角色分配可能发生在尚未复制服务主体的另一个区域中。The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet. 若要解决这种情况,应该在创建角色分配时指定主体类型。To address this scenario, you should specify the principal type when creating the role assignment.

若要分配角色,请使用 az role assignment create,为 --assignee-object-id 指定值,然后将 --assignee-principal-type 设置为 ServicePrincipalTo assign a role, use az role assignment create, specify a value for --assignee-object-id, and then set --assignee-principal-type to ServicePrincipal.

az role assignment create --assignee-object-id "{assigneeObjectId}" \
--assignee-principal-type "{assigneePrincipalType}" \
--role "{roleNameOrId}" \
--resource-group "{resourceGroupName}" \
--scope "/subscriptions/{subscriptionId}"

以下示例将“虚拟机参与者”角色分配给“pharma-sales”资源组范围内的 msi-test 托管标识:The following example assigns the Virtual Machine Contributor role to the msi-test managed identity at the pharma-sales resource group scope:

az role assignment create --assignee-object-id "33333333-3333-3333-3333-333333333333" \
--assignee-principal-type "ServicePrincipal" \
--role "Virtual Machine Contributor" \
--resource-group "pharma-sales"

在订阅范围内为某个用户分配角色Assign a role for a user at a subscription scope

在订阅范围内将读者角色分配给 annm@example.com 用户。Assigns the Reader role to the annm@example.com user at a subscription scope.

az role assignment create --assignee "annm@example.com" \
--role "Reader" \
--subscription "00000000-0000-0000-0000-000000000000"

在订阅范围内为某个组分配角色Assign a role for a group at a subscription scope

在订阅范围内将读者角色分配给 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组。Assigns the Reader role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a subscription scope.

az role assignment create --assignee "22222222-2222-2222-2222-222222222222" \
--role "Reader" \
--subscription "00000000-0000-0000-0000-000000000000"

在订阅范围内为所有 blob 容器分配角色Assign a role for all blob containers at a subscription scope

在订阅范围内将存储 Blob 数据读者角色分配给 alain@example.com 用户。Assigns the Storage Blob Data Reader role to the alain@example.com user at a subscription scope.

az role assignment create --assignee "alain@example.com" \
--role "Storage Blob Data Reader" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000"

在管理组范围内为某个用户分配角色Assign a role for a user at a management group scope

在管理组范围内将账单读者角色分配给 alain@example.com 用户。Assigns the Billing Reader role to the alain@example.com user at a management group scope.

az role assignment create --assignee "alain@example.com" \
--role "Billing Reader" \
--scope "/providers/Microsoft.Management/managementGroups/marketing-group"

后续步骤Next steps