问题描述

作为Azure资源管理人员，对每一种资源操作时，都需要考虑权限设置。否则，会遇见类似如下错误：

The client '***************' with object id '********-****-****-****-************' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/write' over scope '/subscriptions/'***************/resourceGroups/******' or the scope is invalid. If access was recently granted, please refresh your credentials.

现在需要为App Service，集成虚拟网络，这个操作最小的权限需要包含那些呢？

问题解答

经测试，只要自定义以下5个Action就足够为App Service集成虚拟网络

1. "Microsoft.Network/virtualNetworks/subnets/join/action"
2. "Microsoft.Network/virtualNetworks/read"
3. "Microsoft.Network/virtualNetworks/subnets/read"
4. "Microsoft.Web/sites/config/list/Action"
5. "Microsoft.Web/sites/Write"

创建自定义role来为用户添加以上权限，具体方式可参考：https://docs.azure.cn/en-us/role-based-access-control/custom-roles-portal

App Service集成虚拟网络所需要的权限说明可参考：https://docs.azure.cn/zh-cn/app-service/overview-vnet-integration#permissions