Azure Data Lake gen2(Data Lake Storage)容器级别的访问控制与托管标识
Azure Data Lake gen2 (Data Lake Storage) Access Control on container level with Managed Identity
我尝试编写脚本将角色授予 Azure Data Lake gen2。为服务帐户添加这个没有问题:
$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'
$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
问题是我想在容器级别而不是服务帐户级别授予大权限。以上脚本在容器级别生成:父资源(继承) 但需要的是:此资源.
我可以通过门户来完成,但对我的情况来说不是有效的解决方案。
如果想在容器级别grand权限,请参考以下脚本
Connect-AzAccount
$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName
$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>
$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"
$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
此外,请注意,如果您想使用 AD 身份验证访问 Azure Blob,您需要使用这些角色:Storage Blob 数据贡献者、Storage Blob数据 Reader 和 存储 Blob 数据所有者 。详情请参考here and here
我尝试编写脚本将角色授予 Azure Data Lake gen2。为服务帐户添加这个没有问题:
$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'
$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
问题是我想在容器级别而不是服务帐户级别授予大权限。以上脚本在容器级别生成:父资源(继承) 但需要的是:此资源.
我可以通过门户来完成,但对我的情况来说不是有效的解决方案。
如果想在容器级别grand权限,请参考以下脚本
Connect-AzAccount
$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName
$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>
$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"
$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
此外,请注意,如果您想使用 AD 身份验证访问 Azure Blob,您需要使用这些角色:Storage Blob 数据贡献者、Storage Blob数据 Reader 和 存储 Blob 数据所有者 。详情请参考here and here