问题描述
作为Azure资源管理人员,对每一种资源操作时,都需要考虑权限设置。否则,会遇见类似如下错误:
The client '***************' with object id '********-****-****-****-************' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/write' over scope '/subscriptions/'***************/resourceGroups/******' or the scope is invalid. If access was recently granted, please refresh your credentials.
现在需要为App Service,集成虚拟网络,这个操作最小的权限需要包含那些呢?
问题解答
经测试,只要自定义以下5个Action就足够为App Service集成虚拟网络
- "Microsoft.Network/virtualNetworks/subnets/join/action"
- "Microsoft.Network/virtualNetworks/read"
- "Microsoft.Network/virtualNetworks/subnets/read"
- "Microsoft.Web/sites/config/list/Action"
- "Microsoft.Web/sites/Write"
创建自定义role来为用户添加以上权限,具体方式可参考:https://docs.azure.cn/en-us/role-based-access-control/custom-roles-portal
App Service集成虚拟网络所需要的权限说明可参考:https://docs.azure.cn/zh-cn/app-service/overview-vnet-integration#permissions
