Azure RBAC application-insights-component-contributor 与 monitoring-contributor
Azure RBAC application-insights-component-contributor vs monitoring-contributor
我试图了解 Azure RBAC 中这两个角色之间的重叠。看起来 monitor-contributor 除了“Microsoft.Resources/deployments/*”之外完全涵盖了 application-insights-component-contributor。考虑以下情况,我是否正在将 Web 可用性测试部署到 AppInsights 资源中,并且部署身份是服务主体,它已经被授予监视器贡献者权限。我是否也应该授予此身份 'application-insights-component-contributor' 才能创建这些资源,还是 'monitor contributor' 就足够了?
1 编辑
我也在部署警报规则以及测试和那些作为 rm 模板实现的规则,如果 SP 被授予监控贡献者,它就会失败
Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."
不需要给Application Insights Component Contributor role, Monitoring Contributor role is enough. When you deploying the web availability tests, you just need the Microsoft.Insights/webtests/* action permission, it is already included in Monitoring Contributor.
我试图了解 Azure RBAC 中这两个角色之间的重叠。看起来 monitor-contributor 除了“Microsoft.Resources/deployments/*”之外完全涵盖了 application-insights-component-contributor。考虑以下情况,我是否正在将 Web 可用性测试部署到 AppInsights 资源中,并且部署身份是服务主体,它已经被授予监视器贡献者权限。我是否也应该授予此身份 'application-insights-component-contributor' 才能创建这些资源,还是 'monitor contributor' 就足够了?
1 编辑
我也在部署警报规则以及测试和那些作为 rm 模板实现的规则,如果 SP 被授予监控贡献者,它就会失败
Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."
不需要给Application Insights Component Contributor role, Monitoring Contributor role is enough. When you deploying the web availability tests, you just need the Microsoft.Insights/webtests/* action permission, it is already included in Monitoring Contributor.