VM 与 VM 规模集的 RBAC 有何区别?
What is the difference in RBAC for VMs vs VM scale sets?
我有一个自定义角色,允许在特定 VNet 及其子网中创建 VM。我能够毫无问题地在此子网中部署单个虚拟机。但是,当我尝试将规模集部署到同一子网时,我遇到了以下错误:
Missing write permissions {'Microsoft.Network/VirtualNetworks/subnets/write'} for the following subnet(s):'MySubnet'
授予 VNet 访问权限的角色有 Join Virtual Network。为什么此权限允许 VM 部署而不是规模集部署?部署 VM 和 VM 规模集之间的 RBAC 有区别吗?
编辑:添加了角色定义
VNet 具有 RBAC,自定义网络贡献者角色授予以下
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/*/join/action",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
]
资源组上的 RBAC 授予以下
"permissions": [
{
"actions": [
"*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/dnsZones/write",
"Microsoft.Network/dnsZones/delete",
"Microsoft.Network/dnsZones/*/write",
"Microsoft.Network/dnsZones/*/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"notDataActions": []
}
]
Scale sets are built from virtual machines. With scale sets, the
management and automation layers are provided to run and scale your
applications.
因此,部署 VM 和 VM 规模集之间的 RBAC 没有区别。以及这里的测试结果:
根据您发布的错误,子网没有写权限。我认为您应该检查您使用的帐户。如果你使用 Vnet 的 RBAC,至少需要 Contributor 权限。
您可以从此 link.
获得有关虚拟机和规模集之间差异的更多详细信息
我有一个自定义角色,允许在特定 VNet 及其子网中创建 VM。我能够毫无问题地在此子网中部署单个虚拟机。但是,当我尝试将规模集部署到同一子网时,我遇到了以下错误:
Missing write permissions {'Microsoft.Network/VirtualNetworks/subnets/write'} for the following subnet(s):'MySubnet'
授予 VNet 访问权限的角色有 Join Virtual Network。为什么此权限允许 VM 部署而不是规模集部署?部署 VM 和 VM 规模集之间的 RBAC 有区别吗?
编辑:添加了角色定义
VNet 具有 RBAC,自定义网络贡献者角色授予以下
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/*/join/action",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
]
资源组上的 RBAC 授予以下
"permissions": [
{
"actions": [
"*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/dnsZones/write",
"Microsoft.Network/dnsZones/delete",
"Microsoft.Network/dnsZones/*/write",
"Microsoft.Network/dnsZones/*/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"notDataActions": []
}
]
Scale sets are built from virtual machines. With scale sets, the management and automation layers are provided to run and scale your applications.
因此,部署 VM 和 VM 规模集之间的 RBAC 没有区别。以及这里的测试结果:
根据您发布的错误,子网没有写权限。我认为您应该检查您使用的帐户。如果你使用 Vnet 的 RBAC,至少需要 Contributor 权限。
您可以从此 link.
获得有关虚拟机和规模集之间差异的更多详细信息