使用 Azure CLI 添加或删除 Azure 角色分配Add or remove Azure role assignments using Azure CLI

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure CLI 分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure CLI.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

获取对象 IDGet object IDs

若要添加或删除角色分配,可能需要指定对象的唯一 ID。To add or remove role assignments, you might need to specify the unique ID of an object. ID 的格式为:11111111-1111-1111-1111-111111111111The ID has the format: 11111111-1111-1111-1111-111111111111. 可以使用 Azure 门户或 Azure CLI 获取 ID。You can get the ID using the Azure portal or Azure CLI.

UserUser

若要获取 Azure AD 用户的对象 ID,可以使用 az ad user showTo get the object ID for an Azure AD user, you can use az ad user show.

az ad user show --id "{email}" --query objectId --output tsv

Group

若要获取 Azure AD 组的对象 ID,可以使用 az ad group showaz ad group listTo get the object ID for an Azure AD group, you can use az ad group show or az ad group list.

az ad group show --group "{name}" --query objectId --output tsv

应用程序Application

若要获取 Azure AD 服务主体的对象ID(应用程序使用的标识),可以使用 az ad sp listTo get the object ID for an Azure AD service principal (identity used by an application), you can use az ad sp list. 对于服务主体,请使用对象 ID,而是使用应用程序 ID。For a service principal, use the object ID and not the application ID.

az ad sp list --display-name "{name}" --query [].objectId --output tsv

添加角色分配Add a role assignment

在 Azure RBAC 中,若要授予访问权限,请添加角色分配。In Azure RBAC, to grant access, you add a role assignment.

资源组范围内的用户User at a resource group scope

若要为资源组范围的用户添加角色分配,请使用 az role assignment createTo add a role assignment for a user at a resource group scope, use az role assignment create.

az role assignment create --role {roleNameOrId} --assignee {assignee} --resource-group {resourceGroup}

以下示例将“虚拟机参与者”角色分配给 pharma-sales 资源组范围内的 patlong@contoso.com 用户:The following example assigns the Virtual Machine Contributor role to patlong@contoso.com user at the pharma-sales resource group scope:

az role assignment create --role "Virtual Machine Contributor" --assignee patlong@contoso.com --resource-group pharma-sales

使用唯一角色 IDUsing the unique role ID

很多时候角色名称可能会更改,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,你决定更改名称。You are using your own custom role and you decide to change the name.
  • 你使用的是预览版角色,其名称中有“(预览)”字样。You are using a preview role that has (Preview) in the name. 发布角色时重命名了角色。When the role is released, the role is renamed.

重要

预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。A preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果使用脚本或自动化来创建角色分配,最佳做法是使用唯一的角色 ID 而非角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 这样一来,即使角色重命名,脚本仍可以使用。Therefore, if a role is renamed, your scripts are more likely to work.

若要使用唯一的角色 ID 而非角色名称来添加角色分配,请使用 az role assignment create 命令。To add a role assignment using the unique role ID instead of the role name, use az role assignment create.

az role assignment create --role {roleId} --assignee {assignee} --resource-group {resourceGroup}

以下示例将“虚拟机参与者”角色分配给 pharma-sales 资源组范围内的 patlong@contoso.com 用户。The following example assigns the Virtual Machine Contributor role to the patlong@contoso.com user at the pharma-sales resource group scope. 若要获取唯一的角色 ID,可以使用 az role definition list,也可以参阅 Azure 内置角色To get the unique role ID, you can use az role definition list or see Azure built-in roles.

az role assignment create --role 9980e02c-c2be-4d73-94e8-173b1dc7cf3c --assignee patlong@contoso.com --resource-group pharma-sales

订阅范围内的组Group at a subscription scope

若要为组添加角色分配,请使用 az role assignment createTo add a role assignment for a group, use az role assignment create. 有关如何获取组的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the group, see Get object IDs.

az role assignment create --role {roleNameOrId} --assignee-object-id {assigneeObjectId} --resource-group {resourceGroup} --scope /subscriptions/{subscriptionId}

以下示例将“读者”角色分配给订阅范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组。The following example assigns the Reader role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a subscription scope.

az role assignment create --role Reader --assignee-object-id 22222222-2222-2222-2222-222222222222 --scope /subscriptions/00000000-0000-0000-0000-000000000000

资源范围内的组Group at a resource scope

若要为组添加角色分配,请使用 az role assignment createTo add a role assignment for a group, use az role assignment create. 有关如何获取组的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the group, see Get object IDs.

以下示例将“虚拟机参与者”角色分配给名为 pharma-sales-project-network 的虚拟网络的资源范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组。The following example assigns the Virtual Machine Contributor role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a resource scope for a virtual network named pharma-sales-project-network.

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 22222222-2222-2222-2222-222222222222 --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/pharma-sales/providers/Microsoft.Network/virtualNetworks/pharma-sales-project-network

资源组范围内的应用程序Application at a resource group scope

若要为应用程序添加角色分配,请使用 az role assignment createTo add a role assignment for an application, use az role assignment create. 有关如何获取应用程序的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the application, see Get object IDs.

az role assignment create --role {roleNameOrId} --assignee-object-id {assigneeObjectId} --resource-group {resourceGroup}

以下示例将“虚拟机参与者”角色分配给 pharma-sales 资源组范围内对象 ID 为 44444444-4444-4444-4444-444444444444 的应用程序。The following example assigns the Virtual Machine Contributor role to an application with object ID 44444444-4444-4444-4444-444444444444 at the pharma-sales resource group scope.

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 44444444-4444-4444-4444-444444444444 --resource-group pharma-sales

订阅范围内的用户User at a subscription scope

若要为订阅范围的用户添加角色分配,请使用 az role assignment createTo add a role assignment for a user at a subscription scope, use az role assignment create. 若要获取订阅 ID,可以在 Azure 门户中的“订阅”边栏选项卡上找到它,也可以使用 az account listTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use az account list.

az role assignment create --role {roleNameOrId} --assignee {assignee} --subscription {subscriptionNameOrId}

以下示例将“读者”角色分配给订阅范围的 annm@example.com 用户。The following example assigns the Reader role to the annm@example.com user at a subscription scope.

az role assignment create --role "Reader" --assignee annm@example.com --subscription 00000000-0000-0000-0000-000000000000

管理组范围内的用户User at a management group scope

若要为管理组范围的用户添加角色分配,请使用 az role assignment createTo add a role assignment for a user at a management group scope, use az role assignment create. 若要获取管理组 ID,可以在 Azure 门户中的“管理组”边栏选项卡上找到它,也可以使用 az account management-group listTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use az account management-group list.

az role assignment create --role {roleNameOrId} --assignee {assignee} --scope /providers/Microsoft.Management/managementGroups/{groupId}

以下示例将“账单读者”角色分配给管理组范围的 alain@example.com 用户。The following example assigns the Billing Reader role to the alain@example.com user at a management group scope.

az role assignment create --role "Billing Reader" --assignee alain@example.com --scope /providers/Microsoft.Management/managementGroups/marketing-group

新服务主体New service principal

如果创建新的服务主体并立即尝试将角色分配给该服务主体,则在某些情况下该角色分配可能会失败。If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. 例如,如果使用脚本创建新的托管标识,然后尝试将角色分配给该服务主体,则角色分配可能会失败。For example, if you use a script to create a new managed identity and then try to assign a role to that service principal, the role assignment might fail. 此失败的原因可能是复制延迟。The reason for this failure is likely a replication delay. 服务主体是在一个区域中创建的;但是,角色分配可能发生在尚未复制服务主体的另一个区域中。The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet. 若要解决这种情况,应该在创建角色分配时指定主体类型。To address this scenario, you should specify the principal type when creating the role assignment.

若要添加角色分配,请使用 az role assignment create,为 --assignee-object-id 指定值,然后将 --assignee-principal-type 设置为 ServicePrincipalTo add a role assignment, use az role assignment create, specify a value for --assignee-object-id, and then set --assignee-principal-type to ServicePrincipal.

az role assignment create --role {roleNameOrId} --assignee-object-id {assigneeObjectId} --assignee-principal-type {assigneePrincipalType} --resource-group {resourceGroup} --scope /subscriptions/{subscriptionId}

以下示例将“虚拟机参与者”角色分配给“pharma-sales”资源组范围内的 msi-test 托管标识:The following example assigns the Virtual Machine Contributor role to the msi-test managed identity at the pharma-sales resource group scope:

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 33333333-3333-3333-3333-333333333333 --assignee-principal-type ServicePrincipal --resource-group pharma-sales

删除角色分配Remove a role assignment

在 Azure RBAC 中,若要删除访问权限,请使用 az role assignment delete 删除角色分配:In Azure RBAC, to remove access, you remove a role assignment by using az role assignment delete:

az role assignment delete --assignee {assignee} --role {roleNameOrId} --resource-group {resourceGroup}

以下示例在 pharma-sales 资源组上从 patlong@contoso.com 用户删除“虚拟机参与者”角色分配:The following example removes the Virtual Machine Contributor role assignment from the patlong@contoso.com user on the pharma-sales resource group:

az role assignment delete --assignee patlong@contoso.com --role "Virtual Machine Contributor" --resource-group pharma-sales

以下示例将“读者”角色从订阅范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组删除。The following example removes the Reader role from the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a subscription scope. 有关如何获取组的对象 ID 的信息,请参阅获取对象 IDFor information about how to get the object ID of the group, see Get object IDs.

az role assignment delete --assignee 22222222-2222-2222-2222-222222222222 --role "Reader" --subscription 00000000-0000-0000-0000-000000000000

以下示例将“账单读者”角色从管理组范围的 alain@example.com 用户中删除。The following example removes the Billing Reader role from the alain@example.com user at the management group scope. 若要获取管理组的 ID,可以使用 az account management-group listTo get the ID of the management group, you can use az account management-group list.

az role assignment delete --assignee alain@example.com --role "Billing Reader" --scope /providers/Microsoft.Management/managementGroups/marketing-group

后续步骤Next steps