VM与VM规模集的RBAC有什么区别?

时间:2018-10-26 16:16:59

标签: azure azure-virtual-machine azure-virtual-network azure-vm-scale-set azure-rbac

我有一个自定义角色,该角色允许在特定的VNet及其子网中创建VM。我可以在此子网中部署单个VM,而不会出现问题。但是,当我尝试将秤集部署到同一子网时,会遇到以下错误:

Missing write permissions {'Microsoft.Network/VirtualNetworks/subnets/write'} for the following subnet(s):'MySubnet'

授予访问VNet的角色为Join Virtual Network。为什么此权限允许VM部署而不允许规模集部署?部署虚拟机和虚拟机规模集之间的RBAC有区别吗?

编辑:添加了角色定义

VNet具有带有自定义网络贡献者角色的RBAC,授予以下权限

"permissions": [
      {
        "actions": [
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/*/join/action",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ]

资源组上的RBAC授予以下权限

"permissions": [
      {
        "actions": [
          "*",
          "Microsoft.Compute/virtualMachines/*",
          "Microsoft.Compute/virtualMachineScaleSets/*"
        ],
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Network/dnsZones/write",
          "Microsoft.Network/dnsZones/delete",
          "Microsoft.Network/dnsZones/*/write",
          "Microsoft.Network/dnsZones/*/delete",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Network/virtualNetworks/delete",
          "Microsoft.Network/virtualNetworks/peer/action",
          "Microsoft.Resources/subscriptions/resourceGroups/write",
          "Microsoft.Resources/subscriptions/resourceGroups/delete"
        ],
        "notDataActions": []
      }
    ]

1 个答案:

答案 0 :(得分:1)

  

规模集是从虚拟机构建的。有了刻度尺,   提供了管理和自动化层来运行和扩展您的   应用程序。

因此,部署VM和VM Scale Set之间的RBAC没有区别。测试结果在这里:

enter image description here

根据您发布的错误,该子网没有写权限。我认为您应该检查您使用的帐户。如果您将RBAC用于Vnet,则至少需要“贡献者”权限。

您可以从此link获取有关虚拟机和规模集之间差异的更多详细信息。

相关问题
最新问题