存储帐户生命周期策略管理工作的 Azure IAM 权限是什么?
[英]What are the Azure IAM permissions for storage account lifecycle policy management to work?
问题描述
Added a policy in my test subscription and it works as expected.
在我的测试订阅中添加了一个策略,它按预期工作。 The same policy at my PROD sub work does not do anything, it should move blobs to the cool access tier from hot.我的 PROD 子工作中的相同策略没有做任何事情,它应该将 blob 从热移动到冷访问层。 On my test sub I have owner rights and storage blob data contributor rights.在我的测试潜艇上,我拥有所有者权限和存储 blob 数据贡献者权限。 On my PROD sub I have storage account contributor and storage blob data owner, should I also add storage blob data contributor rights?.在我的 PROD 子上,我有存储帐户参与者和存储 blob 数据所有者,我是否还应该添加存储 blob 数据参与者权限? Wouldn't that be included in storage account contributor?这不会包含在存储帐户贡献者中吗?
1 个解决方案
解决方案1
1 2022-08-25 10:31:29
In order to work with Azure Storage Account Life Cycle Management policies, you need role that includes
Microsoft.Storage/storageAccounts/managementPolicies/writepermission.Microsoft.Storage/storageAccounts/managementPolicies/write写入权限的角色。
The valid roles that allow you to work with Life Cycle Management policies are:允许您使用生命周期管理策略的有效角色是:
- Owner - It grants you full access to manage all resources along with assigning roles.所有者- 它授予您管理所有资源以及分配角色的完全访问权限。
- Contributor - It won't allow you to assign roles but grants full access to manage all resources.贡献者- 它不允许您分配角色,但授予管理所有资源的完全访问权限。
- Storage Account Contributor - It grants you full access to manage storage accounts(only).存储帐户贡献者- 它授予您管理存储帐户的完全访问权限(仅)。
As your Test subscription has Owner rights, it allowed you to manage Life Cycle Management policies.由于您的Test订阅具有所有者权限,因此您可以管理生命周期管理策略。
To confirm this, click on the role and check for storage management policies:要确认这一点,请单击角色并检查存储管理策略:
There is no need to assign Storage Blob Data Contributor role to Prod subscription as it already has Storage Account Contributor role that includes below actions:无需将存储 Blob 数据参与者角色分配给Prod订阅,因为它已经具有包含以下操作的存储帐户参与者角色:
I tried to reproduce the same in my environment by assigning Storage Account Contributor role and got below results.我试图通过分配存储帐户参与者角色在我的环境中重现相同的结果,并得到以下结果。
I created a Life Cycle Management policy to move blobs to the cool access tier from hot tier like below:我创建了一个生命周期管理策略,将 blob 从热层移动到冷访问层,如下所示:
Go to Azure Portal -> Storage Accounts -> Your account -> Lifecycle management -> Add a role Go 到 Azure 门户 -> 存储帐户 -> 您的帐户 -> 生命周期管理 -> 添加角色
When I checked the blobs, they are still in Hot access tier like below:当我检查 blob 时,它们仍处于Hot访问层,如下所示:
As I created the policy recently, it may take upto 48 hrs to be effective as mentioned below:正如我最近创建的政策一样,它可能需要长达48 小时才能生效,如下所述:
If that's your case, please wait for intended time period and check after a couple of days.如果这是您的情况,请等待预定的时间段并在几天后检查。 I'll update you whether the blobs moved to cool access tier from hot tier or not in a couple of days.我会在几天内通知您这些 Blob 是否从热层移至冷访问层。
References:参考:
Managing the lifecycle policies - Azure Storage | 管理生命周期策略 - Azure 存储 | Microsoft Docs 微软文档
Azure built-in roles - Azure RBAC | Azure 内置角色 - Azure RBAC | Microsoft Docs 微软文档
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.