Azure 中 start/stop 虚拟机的最低权限角色
Least Priviledge Role to start/stop vm in Azure
是否有任何标准角色向 Azure 资源组中的 start/stop 虚拟机授予特权,但不授予创建特权或修改现有资源的特权?我在文档中没有找到,唯一的解决办法是创建自定义角色吗?
是的,唯一的解决方案是创建自定义角色,powershell 示例:
$subs = Get-AzureRmSubscription
# Resource start\stop role
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Resource Start/Stop (Scheduled)"
$role.Description = "Can read\start\stop VMs"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.AssignableScopes.Clear()
$subs | ForEach-Object {
$scope = "/subscriptions/{0}" -f $_.Id
$role.AssignableScopes.Add($scope)
}
$def = New-AzureRmRoleDefinition -Role $role
如果不需要重启 vms,可以删除重启操作
是否有任何标准角色向 Azure 资源组中的 start/stop 虚拟机授予特权,但不授予创建特权或修改现有资源的特权?我在文档中没有找到,唯一的解决办法是创建自定义角色吗?
是的,唯一的解决方案是创建自定义角色,powershell 示例:
$subs = Get-AzureRmSubscription
# Resource start\stop role
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Resource Start/Stop (Scheduled)"
$role.Description = "Can read\start\stop VMs"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.AssignableScopes.Clear()
$subs | ForEach-Object {
$scope = "/subscriptions/{0}" -f $_.Id
$role.AssignableScopes.Add($scope)
}
$def = New-AzureRmRoleDefinition -Role $role
如果不需要重启 vms,可以删除重启操作