Azure RBAC应用程序.见解.组件-贡献者与监控贡献者

Question

我试图理解Azure RBAC中这两个角色之间的重叠。看起来监视器贡献者除了“Microsoft.Resources/部署/*”之外，还完全涵盖了应用程序洞察力-组件-贡献者。考虑到以下情况，我是否要将web可用性测试部署到AppInsights资源中，并且部署标识是服务主体，它已经被授予了监视器-贡献者权限。我是否也应该赋予这个身份‘应用-洞察力-组件-贡献者’，以便能够创建这些资源或‘监视器贡献者’是足够好？

1编辑

我也在部署警报规则，以及测试和那些作为rm模板实现的规则，如果SP被授予监视-贡献者-只有它失败了

Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."

Answer 1

不需要赋予Application Insights Component Contributor角色，Monitoring Contributor角色就足够了。当您部署web可用性测试时，只需要Microsoft.Insights/webtests/*操作权限，它已经包含在Monitoring Contributor中。