Azure DevOps AzCopy 身份验证失败,它要么不正确,要么已过期,要么没有正确的权限

Azure DevOps AzCopy Authentication failed, it is either not correct, or expired, or does not have the correct permission

我正在使用任务 Azure file copy 将构建工件上传到 blob 容器。但是我总是收到前面的错误。

0.0 %, 0 Done, 0 Failed, 1 Pending, 0 Skipped, 1 Total, 
INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.10.1-0.20201022074806-8d8fc11be726/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RequestId:ae545517-501e-00ce-0798-ea489e000000
Time:2021-12-06T11:54:25.0571292Z, Details: 
   Code: AuthorizationPermissionMismatch
   PUT mybloburl?blockid=YjA4YjIzN2UtODJhMC1mMjQzLTUwOGYtNmYxNDcwOGJjZmY0&comp=block&timeout=901
   Authorization: REDACTED
   Content-Length: [8388608]
   User-Agent: [TFS_useragent AzCopy/10.8.0 Azure-Storage/0.10 (go1.13; Windows_NT)]
   X-Ms-Client-Request-Id: [65465-83ea-4410-450e-dd5b722b6cb3]
   X-Ms-Version: [2019-12-12]
   --------------------------------------------------------------------------------
   RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.

下面是我的 YAML 这个任务的文件内容。

steps:
- task: AzureFileCopy@4
  displayName: 'AzureBlob File Copy'
  inputs:
    SourcePath: '$(Build.ArtifactStagingDirectory)/myfile.zip'
    azureSubscription: 'my-azure-connection'
    Destination: AzureBlob
    storage: mystorage
    ContainerName: mycontainer

看完this issue, I figured out what could be the reason. As you might have already known that a new service principal will be created whenever you create a service connection in the Azure DevOps, I have explained this in detail here。要使 AzureFileCopy@4 任务工作,我们必须在资源组的角色分配下添加角色分配。当您单击访问控制 (IAM) 时,您可以看到这一点。您还可以单击为此目的创建的服务连接中的 Manage service connection roles,这会将您重定向到 IAM 屏幕。

  1. 单击 + 添加并 select 添加角色分配
  2. Select 作为 Storage Blob Data ContributorStorage Blob Data Owner
  3. 的角色
  4. 点击下一步;在下一个屏幕上,通过搜索服务主体的名称将服务主体添加为成员。 (您可以从 Azure DevOps 获取服务主体的名称,在服务连接页面上,通过单击 Manage Service Principal link。我的服务主体看起来像“AzureDevOps.userna.[引导]".)

  1. 配置完所有内容后,单击查看 + 分配。
  2. 等待几分钟 并再次运行 您的管道。您的管道现在应该 运行 成功了。

当您收到错误“上传到容器:'' in storage account:'' with blob prefix:''”时,您可以采用相同的修复方法:“”