azure - 如何为 “Virtual Machine operator” 添加自定义角色以设置自动关闭

Question

我想在 Azure 中创建自定义角色，以允许“虚拟机运算符(operator)”设置自动关闭时间。

我尝试使用 JSON 创建自定义角色，但不知道“自动关闭”的操作是什么

 {
  "Name": "Virtual Machine Operator 2",
  "IsCustom": true,
  "Description": "Can deallocate, start  and restart virtual machines.",
  "Actions": [
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/Auto-shutdown/*"
  ],
  "NotActions": [


  ],
  "AssignableScopes": [
    "/subscriptions/8c18015f-f6be-403d-905d-5cdfcb1f1c1d"
  ]
}

上面 JSON 中的行不正确 “Microsoft.Compute/自动关闭/*”

Answer 1

如果为虚拟机启用自动关闭，Azure将在虚拟机所在的资源组中创建一个资源类型为Microsoft.DevTestLab/schedules的资源。您可以在资源组中查看它(选择显示隐藏类型选项)。

因此，如果您想设置自动关闭时间，则需要Microsoft.DevTestLab/schedules/*权限(可能是Microsoft.DevTestLab/schedules/write 是最低权限，我刚刚测试了 Microsoft.DevTestLab/schedules/*)。

同时，当我们设置Microsoft.DevTestLab/schedules时，我们实际上也设置了VM(资源链接到VM范围)，所以我们还需要Microsoft.Compute/virtualMachines/write 权限，否则会出现错误。

结论，自定义角色 .json 文件应如下所示。

 {
  "Name": "Virtual Machine Operator 2",
  "IsCustom": true,
  "Description": "Can deallocate, start  and restart virtual machines.",
  "Actions": [
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.DevTestLab/schedules/*",
    "Microsoft.Compute/virtualMachines/write"
  ],
  "NotActions": [


  ],
  "AssignableScopes": [
    "/subscriptions/xxxxxxxxxxxxxxxx"
  ]
}

<小时/>

此外，我测试了自定义角色以在 powershell 中使用服务主体上下文设置自动关闭 设置，它在我这边运行良好，您也可以尝试一下。

$resourcegroup = "<resource group name>"
$vm = "<VM Name>"
$shutdown_time = "1900"
$shutdown_timezone = "China Standard Time"

$properties = @{
    "status" = "Enabled";
    "taskType" = "ComputeVmShutdownTask";
    "dailyRecurrence" = @{"time" = $shutdown_time };
    "timeZoneId" = $shutdown_timezone;
    "notificationSettings" = @{
        "status" = "Disabled";
        "timeInMinutes" = 30
    }
    "targetResourceId" = (Get-AzVM -ResourceGroupName $resourcegroup -Name $vm).Id
}

Set-AzResource -ResourceId ("/subscriptions/{0}/resourceGroups/{1}/providers/microsoft.devtestlab/schedules/shutdown-computevm-{2}" -f (Get-AzContext).Subscription.Id, $resourcegroup, $vm) -Properties $properties -Force