我有一个自定义角色,允许在特定 VNet 及其子网中创建虚拟机。我可以毫无问题地在此子网中部署单个虚拟机。但是,当我尝试将规模集部署到同一子网时,我遇到以下错误:
Missing write permissions {'Microsoft.Network/VirtualNetworks/subnets/write'} for the following subnet(s):'MySubnet'
授予 VNet 访问权限的角色具有加入虚拟网络。为什么此权限允许 VM 部署而不是规模集部署?部署 VM 和 VM 规模集之间的 RBAC 是否有区别?
编辑:添加角色定义
VNet 具有 RBAC 和自定义网络贡献者角色,可授予以下功能
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/*/join/action",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
]
资源组上的 RBAC 授予以下内容
"permissions": [
{
"actions": [
"*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/dnsZones/write",
"Microsoft.Network/dnsZones/delete",
"Microsoft.Network/dnsZones/*/write",
"Microsoft.Network/dnsZones/*/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"notDataActions": []
}
]
最佳答案
Scale sets are built from virtual machines. With scale sets, the management and automation layers are provided to run and scale your applications.
因此,部署 VM 和 VM 规模集之间的 RBAC 没有区别。测试结果如下:
根据您发布的错误,子网没有写权限。我认为您应该检查一下您使用过的帐户。如果您对 Vnet 使用 RBAC,则至少需要贡献者权限。
您可以从此 link 获取有关虚拟机和规模集之间差异的更多详细信息.
关于azure - VM 与 VM 规模集的 RBAC 有何区别?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53012713/