英文:
Azure RBAC: Error renewing website certificate (Let's Encrypt)
问题
这个问题与另一个问题相关,链接在这里。那里由Sridevi提供的有用答案帮助我通过了第一批门槛。
我觉得我离获得证书续订非常接近了,但现在我遇到了这个问题:
> LinkedAuthorizationFailed:客户端具有在范围'/subscriptions/[已编辑]/resourceGroups/[已编辑]/providers/Microsoft.Web/certificates/[已编辑]'上执行操作'Microsoft.Web/certificates/write'的权限;但它没有权限在链接的范围'/subscriptions/[已编辑]/resourceGroups/[已编辑]/providers/Microsoft.Web/serverfarms/basic'上执行操作'write'。
如此处所述,我已将我的注册应用添加到资源组级别的WebSite Contributor角色中,但仍然出现上面的错误消息。
我假设Azure在/subscriptions/[已编辑]/resourceGroups/[已编辑]/providers/Microsoft.Web/serverfarms/basic中所指的是应用服务计划(在我的情况下是Basic),但我已经验证我的服务计划位于相同的资源组中,因此也已授权该应用程序。
providers/Microsoft.Web/serverfarms/basic错误日志条目是什么意思,我如何授予我的应用程序在其上执行'write'操作的访问权限?'linked scope'是什么意思?
英文:
This Q&A is related to another Q&A, linked here. The helpful answer there by Sridevi got me past the first set of gates.
I feel I'm very close to getting a certificate renewal, but now I'm running into this problem:
> LinkedAuthorizationFailed: The client has permission to perform action 'Microsoft.Web/certificates/write' on scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/certificates/[redacted]'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/serverfarms/basic
I've added my registered application to the WebSite Contributor Role at the Resource Group level, as described here, but it's still failing with the error message above.
I assume by /subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/serverfarms/basic that Azure means the App Service Plan (which in my case is Basic), but I've verified that my Service Plan is in the same Resource Group and therefore has also authorized the application.
What is meant by that providers/Microsoft.Web/serverfarms/basic error log entry, and how do I grant my application access to perform a 'write' action on it? What is meant by 'linked scope?'
答案1
得分: 1
如在这个 MS Doc 中提到的,Website Contributor 仅管理网站,而不是网站计划。
providers/Microsoft.Web/serverfarms/* 权限与不适用于 Website Contributor 角色的 Web plans 相关。
有一个名为 Web Plan Contributor 的内置 RBAC 角色,具有管理 Web 计划的 Microsoft.Web/serverFarms/* 权限。
为了解决错误,您需要将 Web Plan Contributor 角色授予注册应用程序在您的 Resource group 下,如下所示:
在您的情况下,请确保将 Web Plan Contributor 角色授予在包含您的 App 服务的资源组范围下的注册应用程序。
参考链接:
Web Plan Contributor role - Azure RBAC | Microsoft
英文:
> As mentioned in this MS Doc, Website Contributor manages only websites not web plans.
>
> The providers/Microsoft.Web/serverfarms/* permission is related to Web plans that won't work with Website Contributor role.
There is one built-in RBAC role named Web Plan Contributor having Microsoft.Web/serverFarms/* permission that manages web plans.
To resolve the error, you need to grant Web Plan Contributor role also to the registered application under your Resource group like below:
In your case, make sure to grant Web Plan Contributor role to the registered application under the resource group scope where your App service exists.
Reference:
Web Plan Contributor role - Azure RBAC | Microsoft
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论