在 Azure RBAC 自定义角色中找出正确的操作集
Figure out the right set of actions in Azure RBAC custom role
有这个 Azure 函数需要调用 Azure REST API。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/web?api-version=2019-08-01
并且函数应该拥有尽可能少的权限。我有一个自定义角色(从订阅级别 contributor 克隆),分配给订阅级别的函数。 JSON 如下:
{
"properties": {
"roleName": "Web config contributor",
"description": "Custom role that can read resources under subscription and update their web config.",
"assignableScopes": [
"/subscriptions/def-abc-45346-9477-xyz"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Web/*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
它似乎唯一有效的一点是 actions 设置为 *。否则它会抛出 403 (Forbidden)。我试过:
"Actions": [
"*/read",
"Microsoft.Web/sites/config/Write",
"Microsoft.web/sites/config/delete"
]
"Actions": [
"*/read",
"Microsoft.Web/sites/*"
]
"Actions": [
"*/read",
"Microsoft.Web/*"
]
确定允许对自定义角色执行哪些操作以使 REST 操作起作用的方法是什么?
根据我的测试,Microsoft.Web/sites/config/Write 就足够了。
我的自定义角色供您参考。
{
"properties": {
"roleName": "testrole005",
"description": "",
"assignableScopes": [
"/subscriptions/e5b0fcfa-e859-43f3-8d84-5xxxx29fxxxx"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Web/sites/config/Write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
有这个 Azure 函数需要调用 Azure REST API。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/web?api-version=2019-08-01
并且函数应该拥有尽可能少的权限。我有一个自定义角色(从订阅级别 contributor 克隆),分配给订阅级别的函数。 JSON 如下:
{
"properties": {
"roleName": "Web config contributor",
"description": "Custom role that can read resources under subscription and update their web config.",
"assignableScopes": [
"/subscriptions/def-abc-45346-9477-xyz"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Web/*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
它似乎唯一有效的一点是 actions 设置为 *。否则它会抛出 403 (Forbidden)。我试过:
"Actions": [
"*/read",
"Microsoft.Web/sites/config/Write",
"Microsoft.web/sites/config/delete"
]
"Actions": [
"*/read",
"Microsoft.Web/sites/*"
]
"Actions": [
"*/read",
"Microsoft.Web/*"
]
确定允许对自定义角色执行哪些操作以使 REST 操作起作用的方法是什么?
根据我的测试,Microsoft.Web/sites/config/Write 就足够了。
我的自定义角色供您参考。
{
"properties": {
"roleName": "testrole005",
"description": "",
"assignableScopes": [
"/subscriptions/e5b0fcfa-e859-43f3-8d84-5xxxx29fxxxx"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Web/sites/config/Write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}