共用方式為

使用 Azure CLI 新增或編輯 Azure 角色指派條件

  • 發行項

Azure 角色指派條件是額外的檢查,您可以選擇性地將其新增至您的角色指派,以提供更精細的存取控制。 例如,您可以新增需要物件具有特定標記才能讀取物件的條件。 本文說明如何使用 Azure CLI 來新增、編輯、列出或刪除角色指派條件。

必要條件

如需新增或編輯角色指派條件的必要條件相關資訊,請參閱條件必要要件

新增條件

若要列出角色指派條件,請使用 az role assignment create 命令。 az role assignment create 命令包含下列與條件相關的參數。

參數 類型 描述
condition String 使用者可獲得授權的條件。
condition-version String 條件語法的版本。 如果指定 --condition 時不包含 --condition-version,則版本會設為預設值 2.0。

下列範例示範如何指派具有條件的儲存體 Blob 資料讀取者角色。 條件會檢查容器名稱是否等於 'blobs-example-container'。

az role assignment create --role "Storage Blob Data Reader" --scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName --assignee "user1@contoso.com" \
--description "Read access if container name equals blobs-example-container" \
--condition "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))" \
--condition-version "2.0"

以下顯示輸出的範例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

編輯條件

若要編輯現有的角色指派條件,請使用 az role assignment update 命令和 JSON 檔案作為輸入內容。 以下顯示範例 JSON 檔案,其中會更新條件和描述。 只能編輯 conditionconditionVersiondescription 屬性。 您必須指定所有屬性來更新角色指派條件。

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

使用 az role assignment update,更新角色指派的條件。

az role assignment update --role-assignment "./path/roleassignment.json"

以下顯示輸出的範例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

列出條件

若要列出角色指派條件,請使用 az role assignment list 命令。 如需詳細資訊,請參閱使用 Azure CLI 列出 Azure 角色指派

刪除條件

若要刪除角色指派條件,請編輯角色指派條件,並將 conditioncondition-version 屬性設為空白字串 ("") 或 null

或者,如果您想要同時刪除角色指派和條件,您可以使用 az role assignment delete 命令。 如需相關資訊,請參閱移除 Azure 角色指派

下一步