"Microsoft.Sql/servers/auditingSettings" 请求非 vnet 存储帐户的 StorageBlobContributor 访问权限
"Microsoft.Sql/servers/auditingSettings" asking for StorageBlobContributor access for non-vnet Storage Account
我正在通过 ARM 模板部署 SQL 服务器。使用存储帐户为此 sql 服务器设置审核设置时,它正在请求权限。
根据 link 我们需要权限,仅当存储帐户位于防火墙后面时。但是,我的存储帐户对 Internet 开放,因此权限先决条件不应适用于此处。
我已经使用 Powershell cmdlet 'Set-AzSqlServerAudit' 设置了此配置,并且有效。但这在 ARM 模板中失败了。
模板片段:
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"isDevopsAuditEnabled": false,
"retentionDays": 0,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false,
"state": "Enabled",
"storageEndpoint": "[parameters('centralMonitoringStorageAccount')]",
"storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
}
},
错误:
New-AzResourceGroupDeployment : 4:37:56 AM - Resource Microsoft.Sql/servers/auditingSettings 'coe-extollo-apis-sqlserver-dev/Default' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "BlobAuditingInsufficientStorageAccountPermissions",
"message": "Insufficient read or write permissions on storage account 'xtocoeeucommonsdev'. Add permissions to the server Identity to the storage account."
}
]
}
}'
关于这个问题,您没有在模板中添加 storageAccountAccessKey 那么 SQL 服务器没有访问存储帐户的权限。如果不添加,则需要在 Azure SQL 服务器上启用身份,并将 Storage Blob Data Contributor 分配给存储帐户级别的身份。然后 SQL 就可以拥有访问存储帐户的权限。更多详情,请参考here。
所以请更新您的模板如下。
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"isDevopsAuditEnabled": false,
"retentionDays": 0,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false,
"state": "Enabled",
"storageEndpoint": "[parameters('centralMonitoringStorageAccount')]",
"storageAccountAccessKey":"<account key>"
"storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
}
},
我正在通过 ARM 模板部署 SQL 服务器。使用存储帐户为此 sql 服务器设置审核设置时,它正在请求权限。
根据 link 我们需要权限,仅当存储帐户位于防火墙后面时。但是,我的存储帐户对 Internet 开放,因此权限先决条件不应适用于此处。
我已经使用 Powershell cmdlet 'Set-AzSqlServerAudit' 设置了此配置,并且有效。但这在 ARM 模板中失败了。
模板片段:
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"isDevopsAuditEnabled": false,
"retentionDays": 0,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false,
"state": "Enabled",
"storageEndpoint": "[parameters('centralMonitoringStorageAccount')]",
"storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
}
},
错误:
New-AzResourceGroupDeployment : 4:37:56 AM - Resource Microsoft.Sql/servers/auditingSettings 'coe-extollo-apis-sqlserver-dev/Default' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "BlobAuditingInsufficientStorageAccountPermissions",
"message": "Insufficient read or write permissions on storage account 'xtocoeeucommonsdev'. Add permissions to the server Identity to the storage account."
}
]
}
}'
关于这个问题,您没有在模板中添加 storageAccountAccessKey 那么 SQL 服务器没有访问存储帐户的权限。如果不添加,则需要在 Azure SQL 服务器上启用身份,并将 Storage Blob Data Contributor 分配给存储帐户级别的身份。然后 SQL 就可以拥有访问存储帐户的权限。更多详情,请参考here。
所以请更新您的模板如下。
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"isDevopsAuditEnabled": false,
"retentionDays": 0,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false,
"state": "Enabled",
"storageEndpoint": "[parameters('centralMonitoringStorageAccount')]",
"storageAccountAccessKey":"<account key>"
"storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
}
},