使用 RBAC 和 Azure CLI 管理对 Azure 资源的访问权限Manage access to Azure resources using RBAC and Azure CLI

可以通过基于角色的访问控制 (RBAC) 方式管理对 Azure 资源的访问权限。Role-based access control (RBAC) is the way that you manage access to Azure resources. 本文介绍如何使用 RBAC 和 Azure CLI 来管理用户、组和应用程序的访问权限。This article describes how you manage access for users, groups, and applications using RBAC and Azure CLI.

先决条件Prerequisites

若要管理访问,需要具有以下任一项:To manage access, you need one of the following:

列出角色List roles

若要列出所有可用的角色定义,请使用 az role definition listTo list all available role definitions, use az role definition list:

az role definition list

以下示例列出了所有可用的角色定义的名称和说明:The following example lists the name and description of all available role definitions:

az role definition list --output json | jq '.[] | {"roleName":.roleName, "description":.description}'
{
  "roleName": "API Management Service Contributor",
  "description": "Can manage service and the APIs"
}
{
  "roleName": "API Management Service Operator Role",
  "description": "Can manage service but not the APIs"
}
{
  "roleName": "API Management Service Reader Role",
  "description": "Read-only access to service and APIs"
}

...

下面的示例列出了所有内置的角色定义:The following example lists all of the built-in role definitions:

az role definition list --custom-role-only false --output json | jq '.[] | {"roleName":.roleName, "description":.description, "roleType":.roleType}'
{
  "roleName": "API Management Service Contributor",
  "description": "Can manage service and the APIs",
  "roleType": "BuiltInRole"
}
{
  "roleName": "API Management Service Operator Role",
  "description": "Can manage service but not the APIs",
  "roleType": "BuiltInRole"
}
{
  "roleName": "API Management Service Reader Role",
  "description": "Read-only access to service and APIs",
  "roleType": "BuiltInRole"
}

...

列出角色定义List a role definition

若要列出角色定义,请使用 az role definition listTo list a role definition, use az role definition list:

az role definition list --name <role_name>

下面的示例列出了“参与者” 角色定义:The following example lists the Contributor role definition:

az role definition list --name "Contributor"
[
  {
    "additionalProperties": {},
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage everything except access to resources.",
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "additionalProperties": {},
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

列出角色的操作List actions of a role

以下示例仅列出了“参与者”角色的 actions 和 notActions : The following example lists just the actions and notActions of the Contributor role:

az role definition list --name "Contributor" --output json | jq '.[] | {"actions":.permissions[0].actions, "notActions":.permissions[0].notActions}'
{
  "actions": [
    "*"
  ],
  "notActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action"
  ]
}

以下示例仅列出了“虚拟机参与者”角色的 actions: The following example lists just the actions of the Virtual Machine Contributor role:

az role definition list --name "Virtual Machine Contributor" --output json | jq '.[] | .permissions[0].actions'
[
  "Microsoft.Authorization/*/read",
  "Microsoft.Compute/availabilitySets/*",
  "Microsoft.Compute/locations/*",
  "Microsoft.Compute/virtualMachines/*",
  "Microsoft.Compute/virtualMachineScaleSets/*",
  "Microsoft.Insights/alertRules/*",
  "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
  "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

  ...

  "Microsoft.Storage/storageAccounts/listKeys/action",
  "Microsoft.Storage/storageAccounts/read"
]

列出访问权限List access

在 RBAC 中,若要列出访问权限,请列出角色分配。In RBAC, to list access, you list the role assignments.

列出用户的角色分配List role assignments for a user

若要列出特定用户的角色分配,请使用 az role assignment listTo list the role assignments for a specific user, use az role assignment list:

az role assignment list --assignee <assignee>

默认情况下,将仅显示范围为订阅的直接分配。By default, only direct assignments scoped to subscription will be displayed. 若要查看资源或组范围内的分配,请使用 --all;若要查看继承的分配,请使用 --include-inheritedTo view assignments scoped by resource or group, use --all and to view inherited assignments, use --include-inherited.

以下示例列出的角色分配直接分配给 patlong@contoso.com 用户:The following example lists the role assignments that are assigned directly to the patlong@contoso.com user:

az role assignment list --all --assignee patlong@contoso.com --output json | jq '.[] | {"principalName":.principalName, "roleDefinitionName":.roleDefinitionName, "scope":.scope}'
{
  "principalName": "patlong@contoso.com",
  "roleDefinitionName": "Backup Operator",
  "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
}
{
  "principalName": "patlong@contoso.com",
  "roleDefinitionName": "Virtual Machine Contributor",
  "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
}

列出资源组范围内的角色分配List role assignments at a resource group scope

若要列出存在于资源组范围的角色分配,请使用 az role assignment listTo list the role assignments that exist at a resource group scope, use az role assignment list:

az role assignment list --resource-group <resource_group>

以下示例列出 pharma-sales 资源组的角色分配:The following example lists the role assignments for the pharma-sales resource group:

az role assignment list --resource-group pharma-sales --output json | jq '.[] | {"principalName":.principalName, "roleDefinitionName":.roleDefinitionName, "scope":.scope}'
{
  "principalName": "patlong@contoso.com",
  "roleDefinitionName": "Backup Operator",
  "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
}
{
  "principalName": "patlong@contoso.com",
  "roleDefinitionName": "Virtual Machine Contributor",
  "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
}

...

列出订阅范围内的角色分配List role assignments at a subscription scope

若要列出订阅范围内的所有角色分配,请使用 az role assignment listTo list all role assignments at a subscription scope, use az role assignment list. 若要获取订阅 ID,可以在 Azure 门户中的“订阅” 边栏选项卡上找到它,也可以使用 az account listTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use az account list.

az role assignment list --subscription <subscription_name_or_id>
az role assignment list --subscription 00000000-0000-0000-0000-000000000000 --output json | jq '.[] | {"principalName":.principalName, "roleDefinitionName":.roleDefinitionName, "scope":.scope}'

列出管理组范围内的角色分配List role assignments at a management group scope

若要列出管理组范围内的所有角色分配,请使用 az role assignment listTo list all role assignments at a management group scope, use az role assignment list. 若要获取管理组 ID,可以在 Azure 门户中的“管理组” 边栏选项卡上找到它,也可以使用 az account management-group listTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use az account management-group list.

az role assignment list --scope /providers/Microsoft.Management/managementGroups/<group_id>
az role assignment list --scope /providers/Microsoft.Management/managementGroups/marketing-group --output json | jq '.[] | {"principalName":.principalName, "roleDefinitionName":.roleDefinitionName, "scope":.scope}'

授予访问权限Grant access

在 RBAC 中,若要授予访问权限,请创建角色分配。In RBAC, to grant access, you create a role assignment.

在资源组范围内为用户创建角色分配Create a role assignment for a user at a resource group scope

若要向资源组范围内的用户授予访问权限,请使用 az role assignment createTo grant access to a user at a resource group scope, use az role assignment create.

az role assignment create --role <role_name_or_id> --assignee <assignee> --resource-group <resource_group>

以下示例将“虚拟机参与者”角色 分配给 pharma-sales 资源组范围内的 patlong@contoso.com 用户:The following example assigns the Virtual Machine Contributor role to patlong@contoso.com user at the pharma-sales resource group scope:

az role assignment create --role "Virtual Machine Contributor" --assignee patlong@contoso.com --resource-group pharma-sales

使用唯一角色 ID 创建角色分配Create a role assignment using the unique role ID

很多时候角色名称可能会更改,例如:There are a couple of times when a role name might change, for example:

  • 你使用的是自己的自定义角色,你决定更改名称。You are using your own custom role and you decide to change the name.
  • 你使用的是预览版角色,其名称中有“(预览)”字样。 You are using a preview role that has (Preview) in the name. 发布角色时重命名了角色。When the role is released, the role is renamed.

Important

预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。A preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

即使重命名了角色,角色 ID 也不会更改。Even if a role is renamed, the role ID does not change. 如果使用脚本或自动化来创建角色分配,最佳做法是使用唯一的角色 ID 而非角色名称。If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. 这样一来,即使角色重命名,脚本仍可以使用。Therefore, if a role is renamed, your scripts are more likely to work.

若要使用唯一的角色 ID 而非角色名称来创建角色分配,请使用 az role assignment create 命令。To create a role assignment using the unique role ID instead of the role name, use az role assignment create.

az role assignment create --role <role_id> --assignee <assignee> --resource-group <resource_group>

以下示例将“虚拟机参与者”角色分配给 pharma-sales 资源组范围内的 patlong@contoso.com 用户。The following example assigns the Virtual Machine Contributor role to the patlong@contoso.com user at the pharma-sales resource group scope. 若要获取唯一的角色 ID,可以使用 az role definition list 命令,也可以参阅 Azure 资源的内置角色To get the unique role ID, you can use az role definition list or see Built-in roles for Azure resources.

az role assignment create --role 9980e02c-c2be-4d73-94e8-173b1dc7cf3c --assignee patlong@contoso.com --resource-group pharma-sales

为组创建角色分配Create a role assignment for a group

若要向组授予服务权限,请使用 az role assignment createTo grant access to a group, use az role assignment create. 若要获取组的 ID,可以使用 az ad group listaz ad group showTo get the ID of the group, you can use az ad group list or az ad group show.

az role assignment create --role <role_name_or_id> --assignee-object-id <assignee_object_id> --resource-group <resource_group> --scope </subscriptions/subscription_id>

以下示例将“读者”角色 分配给订阅范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组。 The following example assigns the Reader role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a subscription scope.

az role assignment create --role Reader --assignee-object-id 22222222-2222-2222-2222-222222222222 --scope /subscriptions/00000000-0000-0000-0000-000000000000

以下示例将“虚拟机参与者”角色 分配给名为 pharma-sales-project-network 的虚拟网络的资源范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组 。The following example assigns the Virtual Machine Contributor role to the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a resource scope for a virtual network named pharma-sales-project-network.

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 22222222-2222-2222-2222-222222222222 --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/pharma-sales/providers/Microsoft.Network/virtualNetworks/pharma-sales-project-network

在资源组范围内为应用程序创建角色分配Create a role assignment for an application at a resource group scope

若要向应用程序授予访问权限,请使用 az role assignment createTo grant access to an application, use az role assignment create. 若要获取应用程序的对象 ID,可以使用 az ad app listaz ad app showTo get the object ID of the application, you can use az ad app list or az ad app show.

az role assignment create --role <role_name_or_id> --assignee-object-id <assignee_object_id> --resource-group <resource_group>

以下示例将“虚拟机参与者”角色 分配给 pharma-sales 资源组范围内对象 ID 为 44444444-4444-4444-4444-444444444444 的应用程序。The following example assigns the Virtual Machine Contributor role to an application with object ID 44444444-4444-4444-4444-444444444444 at the pharma-sales resource group scope.

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 44444444-4444-4444-4444-444444444444 --resource-group pharma-sales

为用户创建订阅范围的角色分配Create a role assignment for a user at a subscription scope

若要向订阅范围内的用户授予访问权限,请使用 az role assignment createTo grant access to a user at a subscription scope, use az role assignment create. 若要获取订阅 ID,可以在 Azure 门户中的“订阅” 边栏选项卡上找到它,也可以使用 az account listTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use az account list.

az role assignment create --role <role_name_or_id> --assignee <assignee> --subscription <subscription_name_or_id>

以下示例将“读者”角色 分配给订阅范围的 annm@example.com 用户。The following example assigns the Reader role to to the annm@example.com user at a subscription scope.

az role assignment create --role "Reader" --assignee annm@example.com --subscription 00000000-0000-0000-0000-000000000000

为管理组范围内的用户创建角色分配Create a role assignment for a user at a management group scope

若要向管理组范围内的用户授予访问权限,请使用 az role assignment createTo grant access to a user at a management group scope, use az role assignment create. 若要获取管理组 ID,可以在 Azure 门户中的“管理组” 边栏选项卡上找到它,也可以使用 az account management-group listTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use az account management-group list.

az role assignment create --role <role_name_or_id> --assignee <assignee> --scope /providers/Microsoft.Management/managementGroups/<group_id>

以下示例将“账单读者”角色 分配给管理组范围的 alain@example.com 用户。The following example assigns the Billing Reader role to to the alain@example.com user at a management group scope.

az role assignment create --role "Billing Reader" --assignee alain@example.com --scope /providers/Microsoft.Management/managementGroups/marketing-group

为新服务主体创建角色分配Create a role assignment for a new service principal

如果创建新的服务主体并立即尝试将角色分配给该服务主体,则在某些情况下该角色分配可能会失败。If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. 例如,如果使用脚本创建新的托管标识,然后尝试将角色分配给该服务主体,则角色分配可能会失败。For example, if you use a script to create a new managed identity and then try to assign a role to that service principal, the role assignment might fail. 此失败的原因可能是复制延迟。The reason for this failure is likely a replication delay. 服务主体是在一个区域中创建的;但是,角色分配可能发生在尚未复制服务主体的另一个区域中。The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet. 若要解决这种情况,应该在创建角色分配时指定主体类型。To address this scenario, you should specify the principal type when creating the role assignment.

若要创建角色分配,请使用 az role assignment create,为 --assignee-object-id 指定值,然后将 --assignee-principal-type 设置为 ServicePrincipalTo create a role assignment, use az role assignment create, specify a value for --assignee-object-id, and then set --assignee-principal-type to ServicePrincipal.

az role assignment create --role <role_name_or_id> --assignee-object-id <assignee_object_id> --assignee-principal-type <assignee_principal_type> --resource-group <resource_group> --scope </subscriptions/subscription_id>

以下示例将“虚拟机参与者” 角色分配给“pharma-sales” 资源组范围内的 msi-test 托管标识:The following example assigns the Virtual Machine Contributor role to the msi-test managed identity at the pharma-sales resource group scope:

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 33333333-3333-3333-3333-333333333333 --assignee-principal-type ServicePrincipal --resource-group pharma-sales

删除访问权限Remove access

在 RBAC 中,若要删除访问权限,请使用 az role assignment delete 删除角色分配:In RBAC, to remove access, you remove a role assignment by using az role assignment delete:

az role assignment delete --assignee <assignee> --role <role_name_or_id> --resource-group <resource_group>

以下示例在 pharma-sales 资源组上从 patlong@contoso.com 用户删除“虚拟机参与者”角色分配 :The following example removes the Virtual Machine Contributor role assignment from the patlong@contoso.com user on the pharma-sales resource group:

az role assignment delete --assignee patlong@contoso.com --role "Virtual Machine Contributor" --resource-group pharma-sales

以下示例将“读者”角色 从订阅范围内 ID 为 22222222-2222-2222-2222-222222222222 的“Ann Mack 团队”组删除。 The following example removes the Reader role from the Ann Mack Team group with ID 22222222-2222-2222-2222-222222222222 at a subscription scope. 若要获取组的 ID,可以使用 az ad group listaz ad group showTo get the ID of the group, you can use az ad group list or az ad group show.

az role assignment delete --assignee 22222222-2222-2222-2222-222222222222 --role "Reader" --subscription 00000000-0000-0000-0000-000000000000

以下示例将“账单读者”角色 从管理组范围的 alain@example.com 用户中删除。The following example removes the Billing Reader role from the alain@example.com user at the management group scope. 若要获取管理组的 ID,可以使用 az account management-group listTo get the ID of the management group, you can use az account management-group list.

az role assignment delete --assignee alain@example.com --role "Billing Reader" --scope /providers/Microsoft.Management/managementGroups/marketing-group

后续步骤Next steps