为什么我无法使用托管标识连接到我的 azure blob 存储帐户?
Why can't I connect to my azure blob storage account using a managed identity?
我有一个 python 3.8 应用程序部署在 Azure 上的 kubernetes 集群上,它必须访问不同资源组中帐户中的 blob 存储容器。我正在使用托管身份来验证和查询容器:
from azure.storage.blob import BlobServiceClient
creds = ManagedIdentityCredential()
url_template = task_config["ACCOUNT_ADDRESS_TEMPLATE"]
account_name = task_config["BLOB_STORAGE_ACCOUNT"]
account_url = url_template.replace("*", account_name)
blob_service_client = BlobServiceClient(account_url=account_url, credential=creds)
if container not in [c.name for c in blob_service_client.list_containers()]:
raise BlobStorageContainerDoesNotExistError(
f"Container {container} does not exist"
)
self.client: ContainerClient = blob_service_client.get_container_client(
container=container
我已验证托管标识已在存储帐户中以及资源组级别分配了存储 Blob 数据参与者角色。我已验证在实例化 ManagedIdentityCredential() 对象时生成的令牌引用了正确的托管身份,并且我已将 python 应用程序的出站 IP(以及所有其他可能的 IP,以防万一)列入白名单。尽管如此,我在尝试列出帐户中的容器时不断收到此错误:
Http ResponseError(response=response, model=error)\nazure.core.exceptions.HttpResponseError: Operation returned an invalid status 'This request is not authorized to perform this operation.'
谁能给我指出正确的方向?
Specs:
azure-identity = "1.5"
azure-storage-blob= "12.8.1"
python = "3.8"
platform: linux docker containers running on kubernetes cluster deployed on azure.
我已经在我的环境中测试过
您似乎正在使用存储帐户来允许从所选网络进行访问。
请确保允许从您的 AKS VMSS 虚拟网络进行访问:
然后您可以使用下面的 python 脚本列出存储帐户中的 blob 容器:
from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential
creds = ManagedIdentityCredential ()
blob_service_client = BlobServiceClient(account_url="https://StorageAccountName.blob.core.windows.net/", credential=creds)
test = blob_service_client.list_containers()
for container in test :
print(container.name)
我有一个 python 3.8 应用程序部署在 Azure 上的 kubernetes 集群上,它必须访问不同资源组中帐户中的 blob 存储容器。我正在使用托管身份来验证和查询容器:
from azure.storage.blob import BlobServiceClient
creds = ManagedIdentityCredential()
url_template = task_config["ACCOUNT_ADDRESS_TEMPLATE"]
account_name = task_config["BLOB_STORAGE_ACCOUNT"]
account_url = url_template.replace("*", account_name)
blob_service_client = BlobServiceClient(account_url=account_url, credential=creds)
if container not in [c.name for c in blob_service_client.list_containers()]:
raise BlobStorageContainerDoesNotExistError(
f"Container {container} does not exist"
)
self.client: ContainerClient = blob_service_client.get_container_client(
container=container
我已验证托管标识已在存储帐户中以及资源组级别分配了存储 Blob 数据参与者角色。我已验证在实例化 ManagedIdentityCredential() 对象时生成的令牌引用了正确的托管身份,并且我已将 python 应用程序的出站 IP(以及所有其他可能的 IP,以防万一)列入白名单。尽管如此,我在尝试列出帐户中的容器时不断收到此错误:
Http ResponseError(response=response, model=error)\nazure.core.exceptions.HttpResponseError: Operation returned an invalid status 'This request is not authorized to perform this operation.'
谁能给我指出正确的方向?
Specs:
azure-identity = "1.5"
azure-storage-blob= "12.8.1"
python = "3.8"
platform: linux docker containers running on kubernetes cluster deployed on azure.
我已经在我的环境中测试过
您似乎正在使用存储帐户来允许从所选网络进行访问。
请确保允许从您的 AKS VMSS 虚拟网络进行访问:
然后您可以使用下面的 python 脚本列出存储帐户中的 blob 容器:
from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential
creds = ManagedIdentityCredential ()
blob_service_client = BlobServiceClient(account_url="https://StorageAccountName.blob.core.windows.net/", credential=creds)
test = blob_service_client.list_containers()
for container in test :
print(container.name)