在Azure中作为一个资源组贡献者我为什么不能创建存储帐户,应该怎么做prevent这种情况呢? [英] In Azure as a Resource Group contributor why can't I create Storage Accounts and what should be done to prevent this situation?
问题描述
在客户A认购管理员授予我(一个MS账户)参与者角色对他们的资源组之一。
当我试图在该资源组存储帐户,我得到一个失败的:
AuthorizationFailed'没有授权才能执行行动Microsoft.Storage/register/action过度范围
我登录到通过PowerShell中的认购和上市可用的提供者,发现大多数都没有登记。
当我尝试注册,我得到这个错误。他们为什么没有注册?应该怎样管理员做纠正呢?我应该在未来完成添加贡献者时,为了避免这个问题?现在,作为该RG一个参与者,我不能这样做非常多。
解决方案
我登录到通过PowerShell中的认购和上市可用
供应商,发现大部分都没有登记。当我尝试
注册时,我得到这个错误。你得到这个错误的原因是因为日认购管理员已经把你放在
投稿作用在一个特定的资源组。他们没有授予您对Microsoft.Storage资源提供者的许可。为了让您与此资源注册订阅,你需要在Microsoft.Storage资源提供者写许可。您可以问你的订阅管理员给你相应的权限,也可以注册与资源提供者认购。
更新 - 后续问题
我的理解是,参与者角色只是允许
指定的用户的组中创建资源你的理解是正确的。随着资源组中的
投稿角色,你应该能够在那里创建资源。
在这个角色分配一个点确实认购
管理员指定哪些资源可以被创建,哪些不是?
抑或是限制在某种程度上对认购方式
设置?嗯yes和no。所以,如果你是这样分配
贡献者一些毯子的作用,你应该能够创建任何类型的资源。然而,随着自定义角色,管理员可以得到超级的创意和只允许您创建某一种资源。然而认购应该用资源提供者可以创建一种资源之前进行登记。我明白这整个事情是结构化的方式是,每个产品团队在Azure是负责提供自己的功能。在这一切的中心点是
Azure的资源管理器提供除其他事项外基于角色的访问控制。让我们来Azure存储为例。该功能与存储帐户(从创建像管理的角度来看,删除等)进行交互是通过存储团队使用一种叫做提供
存储资源提供者(SRP)。所以,如果你仔细观察,有一个为每个功能的资源提供者。不知什么原因对我来说,不是所有的资源提供者在默认情况下(可能是成本原因)和订阅管理员提供给您必须这样那样的资源可以在订阅被创建,资源提供者登记他/她的订阅。A Subscription admin at a customer granted me (an MS account) Contributor role on one of their Resource Groups.
When I try to create a Storage Account in that Resource Group, I get a failure that:
'AuthorizationFailed' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope
I logged into the Subscription via Powershell and listed the available providers, and found that most are not registered. When I try to register, I get that error.
Why are they not registered? What should the admin do to correct this? What should be done in future to avoid this problem when adding Contributors? Right now as a Contributor in that RG, I can't do very much.
解决方案I logged into the Subscription via Powershell and listed the available providers, and found that most are not registered. When I try to register, I get that error.
The reason you're getting this error is because th Subscription Administrator has put you in
Contributorrole on a particular resource group. They have not granted you any permission onMicrosoft.Storageresource provider. In order for you to register the subscription with this resource, you would needWritepermission onMicrosoft.Storageresource provider.You can either ask your Subscription Administrator to give you appropriate permissions or they can register the subscription with that resource provider.
UPDATE - Follow Up Questions
my understanding was that Contributor role simply allowed the specified user to create resources in the group.
Your understanding is correct. With a
Contributorrole in a resource group, you should be able to create resources in there.At one point in this role assignment does the Subscription administrator specify which resources can be created and which not? Or is it that the limitation is somehow on the way the Subscription is set up?
Well yes and no. So if you're assigned some blanket role like
Contributoryou should be able to create any kind of resources. However withCustom Roles, an administrator can get super creative and only allow you to create resources of a certain kind. However the Subscription should be registered with a resource provider before a resource of a kind can be created.The way I understand this whole thing is structured is that each product team in Azure is responsible for providing their own functionality. The central point in all of this is
Azure Resource Managerwhich provides amongst other thingsRole-based Access Control.Let's take Azure Storage for example. The functionality to interact with storage accounts (from management perspective like creation, deletion etc.) is provided by Storage Team using something called
Storage Resource Provider (SRP). So if you look closely, there's a resource provider for each and every feature. For reasons unknown to me, not all resource providers are available to you by default (could be the cost reason) and a Subscription Administrator must register his/her Subscription with that resource provider so that resources of that kind can be created in that Subscription.这篇关于在Azure中作为一个资源组贡献者我为什么不能创建存储帐户,应该怎么做prevent这种情况呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
