共用方式為


使用 Azure CLI 新增或編輯 Azure 角色指派條件

Azure 角色指派條件是額外的檢查,您可以選擇性地將其新增至您的角色指派,以提供更精細的存取控制。 例如,您可以新增需要物件具有特定標記才能讀取物件的條件。 本文說明如何使用 Azure CLI 來新增、編輯、列出或刪除角色指派條件。

必要條件

如需新增或編輯角色指派條件的必要條件相關資訊,請參閱條件必要要件

新增條件

若要列出角色指派條件,請使用 az role assignment create 命令。 az role assignment create 命令包含下列與條件相關的參數。

參數 類型 描述
condition String 使用者可獲得授權的條件。
condition-version String 條件語法的版本。 如果指定 --condition 時不包含 --condition-version,則版本會設為預設值 2.0。

下列範例示範如何指派具有條件的儲存體 Blob 資料讀取者角色。 條件會檢查容器名稱是否等於 'blobs-example-container'。

az role assignment create --role "Storage Blob Data Reader" --scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName --assignee "user1@contoso.com" \
--description "Read access if container name equals blobs-example-container" \
--condition "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))" \
--condition-version "2.0"

以下顯示輸出的範例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

編輯條件

若要編輯現有的角色指派條件,請使用 az role assignment update 命令和 JSON 檔案作為輸入內容。 以下顯示範例 JSON 檔案,其中會更新條件和描述。 只能編輯 conditionconditionVersiondescription 屬性。 您必須指定所有屬性來更新角色指派條件。

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

使用 az role assignment update,更新角色指派的條件。

az role assignment update --role-assignment "./path/roleassignment.json"

以下顯示輸出的範例:

{
    "canDelegate": null,
    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
    "conditionVersion": "2.0",
    "description": "Read access if container name equals blobs-example-container or blobs-example-container2",
    "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
    "name": "{roleAssignmentId}",
    "principalId": "{userObjectId}",
    "principalType": "User",
    "resourceGroup": "{resourceGroup}",
    "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
    "scope": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
    "type": "Microsoft.Authorization/roleAssignments"
}

列出條件

若要列出角色指派條件,請使用 az role assignment list 命令。 如需詳細資訊,請參閱使用 Azure CLI 列出 Azure 角色指派

刪除條件

若要刪除角色指派條件,請編輯角色指派條件,並將 conditioncondition-version 屬性設為空白字串 ("") 或 null

或者,如果您想要同時刪除角色指派和條件,您可以使用 az role assignment delete 命令。 如需相關資訊,請參閱移除 Azure 角色指派

下一步