我试图了解 Azure RBAC 中这两个角色之间的重叠。看起来monitor-contributor 完全涵盖了“Microsoft.Resources/deployments/*”之外的application-insights-component-contributor。考虑以下情况,我是否正在将 Web 可用性测试部署到 AppInsights 资源中,并且部署身份是已被授予监视贡献者权限的服务主体。我是否应该也授予此身份“application-insights-component-contributor”以能够创建这些资源或“监控贡献者”是否足够好?
1 编辑
我还在部署警报规则以及测试以及作为 rm 模板实施的那些规则,如果 SP 仅被授予监视贡献者,它就会失败
Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."