Skip to content

Commit e832c3e

Browse files
PRMerger19PRMerger19
authored
Merge pull request #104423 from mumian/0214-ds-permission
add permission info
2 parents 06156fe + 7c46738 commit e832c3e

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

articles/azure-resource-manager/templates/deployment-script-template.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ services: azure-resource-manager
55
author: mumian
66
ms.service: azure-resource-manager
77
ms.topic: conceptual
8-
ms.date: 02/20/2020
8+
ms.date: 02/24/2020
99
ms.author: jgao
1010

1111
---
@@ -37,7 +37,12 @@ The benefits of deployment script:
3737
3838
## Prerequisites
3939

40-
- **A user-assigned managed identity with the contributor's role at the subscription level**. This identity is used to execute deployment scripts. To create one, see [Create a user-assigned managed identity by using the Azure portal](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md), or [by using Azure CLI](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md), or [by using Azure PowerShell](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md). You need the identity ID when you deploy the template. The format of the identity is:
40+
- **A user-assigned managed identity with the contributor's role to the target resource-group**. This identity is used to execute deployment scripts. To perform operations outside of the resource group, you need to grant additional permissions. For example, assign the identity to the subscription level if you want to create a new resource group.
41+
42+
> [!NOTE]
43+
> The deployment script engine needs to create a storage account and a container instance in the background. A user-assigned managed identity with the contributor’s role at the subscription level is required if the subscription has not registered the Azure storage account (Microsoft.Storage) and Azure container instance (Microsoft.ContainerInstance) resource providers.
44+
45+
To create an identity, see [Create a user-assigned managed identity by using the Azure portal](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md), or [by using Azure CLI](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md), or [by using Azure PowerShell](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md). You need the identity ID when you deploy the template. The format of the identity is:
4146

4247
```json
4348
/subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<IdentityID>
@@ -94,8 +99,7 @@ The following json is an example. The latest template schema can be found [here
9499
Write-Output $output
95100
$DeploymentScriptOutputs = @{}
96101
$DeploymentScriptOutputs['text'] = $output
97-
",
98-
"primaryScriptUri": "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/deployment-script/deploymentscript-helloworld.ps1",
102+
", // or "primaryScriptUri": "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/deployment-script/deploymentscript-helloworld.ps1",
99103
"supportingScriptUris":[],
100104
"timeout": "PT30M",
101105
"cleanupPreference": "OnSuccess",

0 commit comments

Comments
 (0)