我正在尝试使用 PowerShell 在 cosmos db 中添加虚拟网络规则。 VNETS 存在于不同的租户中。我对存储帐户做了同样的事情,效果很好。我收到以下错误。有人可以给我一些关于我哪里出错的指示吗?是否可以在 Cosmos 数据库中执行此操作?
设置-AzureRmResource:LinkedAuthorizationFailed:客户端有权在范围内执行操作“Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action”
'/subscriptions/Cosmos DB/resourceGroups/nbspreprd3/providers/Microsoft.DocumentDb/databaseAccounts/nbspreprd3-config-document-db 的订阅 ID',但是当前租户 '' 是
无权访问链接订阅“”。
行数:8 字符:5
+ 设置-AzureRmResource -ResourceType $ResourceType -ResourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmResource], ErrorResponseMessageException
+FullyQualifiedErrorId:LinkedAuthorizationFailed,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.SetAzureResourceCmdlet
这是 PowerShell 脚本
$ResourceGroupName = "*******"
$accountname = "*******"
$ResourceType = "Microsoft.DocumentDb/databaseAccounts"
$cosmosAccount = Get-AzureRMResource -ResourceType $ResourceType -ResourceGroupName $resourceGroupName -Name $accountName
$VnrID1 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-2-subnet"
$VnrID2 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/build-3-subnet"
$VnrID3 = "/subscriptions/*******/resourceGroups/build-agents/providers/Microsoft.Network/virtualNetworks/build-agents-vnet/subnets/=build1-subnet"
function setCosmosRule {
Param($ResourceGroupName, $accountname, $ResourceType, $cosmosAccount, $VnrID1)
$vnetrules = $cosmosAccount.Properties.virtualNetworkRules
$existsCosmos =($cosmosAccount.Properties.virtualNetworkRules | Where-Object {$_.id -eq $VnrID1} | Measure-Object).Count -ne 0
if(-not($existsCosmos)){
$ourObject = New-Object -TypeName psobject
$ourObject | Add-Member -MemberType NoteProperty -Name id -Value $VnrID1
$ourObject | Add-Member -MemberType NoteProperty -Name ignoreMissingVNetServiceEndpoint -Value True
$newVnetRules = $vnetrules, $ourObject
$cosmosAccount.Properties.virtualNetworkRules = $newVnetRules
$CosmosDBProperties = $cosmosAccount.Properties
Set-AzureRmResource -ResourceType $ResourceType -ResourceGroupName $ResourceGroupName -ResourceName $accountname -Properties $cosmosDBProperties -Force
}
}
非常感谢任何指示和提示
谢谢
我们通过授予部署服务主体解决了类似的问题Network Contributor关于外部订阅。
在部署具有 Key Vault、服务总线、存储帐户和 Cosmos DB 帐户的复合 ARM 模板时,我们在几乎相同的场景中遇到了相同的错误。前三个已成功部署,并且使用来自单独订阅的预期 VNet/子网设置了防火墙,与部署目标订阅 VNet 对等。外部订阅中 RBAC 的一切看起来都很好。通过深入研究 Microsoft 服务端点文档,我得出以下结论:
“将 VNet 服务终结点添加到 Azure Cosmos 帐户后,要对帐户设置进行任何更改,您需要访问 Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 操作适用于 Azure Cosmos 帐户上配置的所有 VNET。需要此权限是因为授权过程会在评估任何属性之前验证对资源(例如数据库和虚拟网络资源)的访问。”
Source:
https://learn.microsoft.com/en-us/azure/cosmos-db/vnet-service-endpoint?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#are-additional-rbac-permissions-needed-for -azure-cosmos-accounts-with-vnet-service-endpoints https://learn.microsoft.com/en-us/azure/cosmos-db/vnet-service-endpoint?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#are-additional-rbac-permissions-needed-for-azure-cosmos-accounts-with-vnet-service-endpoints
我们需要为 Cosmos DB 帐户添加显式权限并没有什么意义,特别是因为其他资源类型都很好。添加附加访问策略后,Cosmos DB 帐户部署成功。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
