LAD 3.0 无法使用 SASToken 连接到存储帐户
LAD 3.0 Failing to connect to Storage Account using SASToken
我目前正在尝试通过 ARM 模板部署 Linux 扩展 LAD。按照文档,扩展需要一个 SasToken 和一个容量为 table 的存储帐户才能工作。我在调用 a method similiar to this one in order to create a SasToken 之前部署存储帐户,然后使用该令牌部署扩展。
这在安装扩展时工作正常。但是,如果我在门户中查看它,则会出现错误。它告诉我我需要容器和对象权限,我以前没有,但现在我修改了 SasToken 参数以将它们包含在部署中。
我尝试从消息中寻找主要关键字,但我无法弄清楚。
这是错误(很长):
Problem(s) detected in generated mdsd configuration. Can't enable, although this install/enable operation is reported as successful so the VM can complete successful startup. Linux Diagnostic Extension will exit. Config validation message: 2020-11-25T17:07:57.9564180Z: Not all GCS env vars are defined. Missing 6: MONITORING_GCS_ENVIRONMENT MONITORING_GCS_ACCOUNT MONITORING_GCS_REGION MONITORING_GCS_CERT_CERTFILE MONITORING_GCS_CERT_KEYFILE MONITORING_GCS_STORAGE_RESOURCE_TAG_TYPE. GCS won't be used. Parse reported these messages: /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(3) Error: Invalid SAS token given. Reason: Account SAS must enable container and object access (srt='co' or better) /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(18) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(25) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(31) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(45) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(60) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(71) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(84) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement
这是我没有 ladcfg 的模板,因为它很长:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "The VM Name."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The location."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account Name."
}
},
"storageAccountEndpoint": {
"type": "string",
"metadata": {
"description": "Storage Account Endpoint."
},
"defaultValue": "https://core.windows.net"
},
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "btq",
"signedPermission": "rwlacup",
"signedExpiry": "2030-01-01T00:00:01Z",
"signedResourceTypes": "sco",
"keyToSign":"key1"
}
}
},
"variables": {
"perfSink": "[concat(parameters('vmName'),'-perfSink')]",
"sysLogSink": "[concat(parameters('vmName'),'-sysLogSink')]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'), '/LinuxDiagnostic')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.Diagnostics",
"type": "LinuxDiagnostic",
"typeHandlerVersion": "3.0",
"autoUpgradeMinorVersion": true,
"settings": {
"sinksConfig": {
"sink": [
{
"name": "[variables('perfSink')]",
"type": "JsonBlob"
},
{
"name": "[variables('syslogSink')]",
"type": "JsonBlob"
}
]
},
"StorageAccount": "[parameters('storageAccountName')]",
"ladCfg": { ... }
},
"protectedSettings": {
"storageAccountName": "[parameters('storageAccountName')]",
"storageAccountEndPoint": "[parameters('storageAccountEndpoint')]",
"storageAccountSasToken": "[listAccountSas(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
}
}
}
],
"outputs": {
}}
非常感谢提供的任何帮助。
我将我的建议总结如下。
当我们安装 Linux 诊断扩展来监控指标和日志并将数据存储到 Azure 存储时,我们应该为 Blob 和 Table 服务提供 Account SAS token 服务 (ss='bt') ,适用于容器和对象 (srt='co'),授予添加、创建、列出、更新和写入权限 (sp='acluw')。此外,关于如何在Azure ARM模板中创建Account SAS token,我们可以使用ARM资源函数listAccountSas
例如
"parameters": {
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "bt",
"signedResourceTypes": "co",
"signedPermission": "acluw",
"signedExpiry": "9001-01-30T16:00:00Z"
}
}
},
...
"sasToken": "[listAccountSas(parameters('storagename'), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
详情请参考
我目前正在尝试通过 ARM 模板部署 Linux 扩展 LAD。按照文档,扩展需要一个 SasToken 和一个容量为 table 的存储帐户才能工作。我在调用 a method similiar to this one in order to create a SasToken 之前部署存储帐户,然后使用该令牌部署扩展。
这在安装扩展时工作正常。但是,如果我在门户中查看它,则会出现错误。它告诉我我需要容器和对象权限,我以前没有,但现在我修改了 SasToken 参数以将它们包含在部署中。
我尝试从消息中寻找主要关键字,但我无法弄清楚。
这是错误(很长):
Problem(s) detected in generated mdsd configuration. Can't enable, although this install/enable operation is reported as successful so the VM can complete successful startup. Linux Diagnostic Extension will exit. Config validation message: 2020-11-25T17:07:57.9564180Z: Not all GCS env vars are defined. Missing 6: MONITORING_GCS_ENVIRONMENT MONITORING_GCS_ACCOUNT MONITORING_GCS_REGION MONITORING_GCS_CERT_CERTFILE MONITORING_GCS_CERT_KEYFILE MONITORING_GCS_STORAGE_RESOURCE_TAG_TYPE. GCS won't be used. Parse reported these messages: /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(3) Error: Invalid SAS token given. Reason: Account SAS must enable container and object access (srt='co' or better) /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(18) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(25) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(31) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(45) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(60) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(71) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(84) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement
这是我没有 ladcfg 的模板,因为它很长:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "The VM Name."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The location."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account Name."
}
},
"storageAccountEndpoint": {
"type": "string",
"metadata": {
"description": "Storage Account Endpoint."
},
"defaultValue": "https://core.windows.net"
},
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "btq",
"signedPermission": "rwlacup",
"signedExpiry": "2030-01-01T00:00:01Z",
"signedResourceTypes": "sco",
"keyToSign":"key1"
}
}
},
"variables": {
"perfSink": "[concat(parameters('vmName'),'-perfSink')]",
"sysLogSink": "[concat(parameters('vmName'),'-sysLogSink')]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'), '/LinuxDiagnostic')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.Diagnostics",
"type": "LinuxDiagnostic",
"typeHandlerVersion": "3.0",
"autoUpgradeMinorVersion": true,
"settings": {
"sinksConfig": {
"sink": [
{
"name": "[variables('perfSink')]",
"type": "JsonBlob"
},
{
"name": "[variables('syslogSink')]",
"type": "JsonBlob"
}
]
},
"StorageAccount": "[parameters('storageAccountName')]",
"ladCfg": { ... }
},
"protectedSettings": {
"storageAccountName": "[parameters('storageAccountName')]",
"storageAccountEndPoint": "[parameters('storageAccountEndpoint')]",
"storageAccountSasToken": "[listAccountSas(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
}
}
}
],
"outputs": {
}}
非常感谢提供的任何帮助。
我将我的建议总结如下。
当我们安装 Linux 诊断扩展来监控指标和日志并将数据存储到 Azure 存储时,我们应该为 Blob 和 Table 服务提供 Account SAS token 服务 (ss='bt') ,适用于容器和对象 (srt='co'),授予添加、创建、列出、更新和写入权限 (sp='acluw')。此外,关于如何在Azure ARM模板中创建Account SAS token,我们可以使用ARM资源函数listAccountSas
例如
"parameters": {
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "bt",
"signedResourceTypes": "co",
"signedPermission": "acluw",
"signedExpiry": "9001-01-30T16:00:00Z"
}
}
},
...
"sasToken": "[listAccountSas(parameters('storagename'), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
详情请参考