Azure 函数 - 写入存储的托管 ID table - 失败,出现 403 AuthorizationPermissionMismatch
Azure Function - Managed IDs to write to storage table - failing with 403 AuthorizationPermissionMismatch
我有一个写入存储队列的 Azure 函数应用程序(HTTP 触发器)和 table。当我尝试更改为托管 ID 时,两者都失败了。这个 post / 问题只是关于存储 table 部分。
这是实际写入 table 的代码:
GetStorageAccountConnectionData();
try
{
WorkspaceProvisioningRecord provisioningRecord = new PBIWorkspaceProvisioningRecord();
provisioningRecord.status = requestType;
provisioningRecord.requestId = requestId;
provisioningRecord.workspace = request;
#if DEBUG
Console.WriteLine(Environment.GetEnvironmentVariable("AZURE_TENANT_ID"));
Console.WriteLine(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));
DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions()
{
Diagnostics =
{
LoggedHeaderNames = { "x-ms-request-id" },
LoggedQueryParameters = { "api-version" },
IsLoggingContentEnabled = true
},
ExcludeVisualStudioCodeCredential = true,
ExcludeAzureCliCredential = true,
ExcludeManagedIdentityCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeSharedTokenCacheCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeVisualStudioCredential = true
};
#endif
DefaultAzureCredential credential = new DefaultAzureCredential();
Console.WriteLine(connection.storageTableUri);
Console.WriteLine(credential);
var serviceClient = new TableServiceClient(new Uri(connection.storageTableUri), credential);
var tableClient = serviceClient.GetTableClient(connection.tableName);
await tableClient.CreateIfNotExistsAsync();
var entity = new TableEntity();
entity.PartitionKey = provisioningRecord.status;
entity.RowKey = provisioningRecord.requestId;
entity["requestId"] = provisioningRecord.requestId.ToString();
entity["status"] = provisioningRecord.status.ToString();
entity["workspace"] = JsonConvert.SerializeObject(provisioningRecord.workspace);
//this is where I get the 403
await tableClient.UpsertEntityAsync(entity);
//other stuff...
catch(AuthenticationFailedException e)
{
Console.WriteLine($"Authentication Failed. {e.Message}");
WorkspaceResponse response = new PBIWorkspaceResponse();
response.requestId = null;
response.status = "failure";
return response;
}
catch (Exception ex)
{
Console.WriteLine($"whoops! Failed to create storage record:{ex.Message}");
WorkspaceResponse response = new WorkspaceResponse();
response.requestId = null;
response.status = "failure";
return response;
}
我在 local.settings.json 中将此安全主体的客户端 ID/客户端机密定义为 AZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRET。
代码在尝试执行更新插入时死机。而且它永远不会遇到 AuthenticationFailedException - 只是一般异常。
AZURE* 变量中定义的安全主体用于创建包括存储帐户在内的整个应用程序。
要管理存储帐户内的数据(如创建 table 等),您需要分配不同的权限集。 Owner 角色是一个 control-plane 角色,使您能够管理存储帐户本身,而不是其中的数据。
从这个link:
Only roles explicitly defined for data access permit a security
principal to access blob data. Built-in roles such as Owner,
Contributor, and Storage Account Contributor permit a security
principal to manage a storage account, but do not provide access to
the blob data within that account via Azure AD.
虽然上面的文字是针对 Blob,但同样适用于表。
请将 Storage Table Data Contributor 分配给您的托管身份,这样您就不会收到此错误。
我有一个写入存储队列的 Azure 函数应用程序(HTTP 触发器)和 table。当我尝试更改为托管 ID 时,两者都失败了。这个 post / 问题只是关于存储 table 部分。
这是实际写入 table 的代码:
GetStorageAccountConnectionData();
try
{
WorkspaceProvisioningRecord provisioningRecord = new PBIWorkspaceProvisioningRecord();
provisioningRecord.status = requestType;
provisioningRecord.requestId = requestId;
provisioningRecord.workspace = request;
#if DEBUG
Console.WriteLine(Environment.GetEnvironmentVariable("AZURE_TENANT_ID"));
Console.WriteLine(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));
DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions()
{
Diagnostics =
{
LoggedHeaderNames = { "x-ms-request-id" },
LoggedQueryParameters = { "api-version" },
IsLoggingContentEnabled = true
},
ExcludeVisualStudioCodeCredential = true,
ExcludeAzureCliCredential = true,
ExcludeManagedIdentityCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeSharedTokenCacheCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeVisualStudioCredential = true
};
#endif
DefaultAzureCredential credential = new DefaultAzureCredential();
Console.WriteLine(connection.storageTableUri);
Console.WriteLine(credential);
var serviceClient = new TableServiceClient(new Uri(connection.storageTableUri), credential);
var tableClient = serviceClient.GetTableClient(connection.tableName);
await tableClient.CreateIfNotExistsAsync();
var entity = new TableEntity();
entity.PartitionKey = provisioningRecord.status;
entity.RowKey = provisioningRecord.requestId;
entity["requestId"] = provisioningRecord.requestId.ToString();
entity["status"] = provisioningRecord.status.ToString();
entity["workspace"] = JsonConvert.SerializeObject(provisioningRecord.workspace);
//this is where I get the 403
await tableClient.UpsertEntityAsync(entity);
//other stuff...
catch(AuthenticationFailedException e)
{
Console.WriteLine($"Authentication Failed. {e.Message}");
WorkspaceResponse response = new PBIWorkspaceResponse();
response.requestId = null;
response.status = "failure";
return response;
}
catch (Exception ex)
{
Console.WriteLine($"whoops! Failed to create storage record:{ex.Message}");
WorkspaceResponse response = new WorkspaceResponse();
response.requestId = null;
response.status = "failure";
return response;
}
我在 local.settings.json 中将此安全主体的客户端 ID/客户端机密定义为 AZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRET。
代码在尝试执行更新插入时死机。而且它永远不会遇到 AuthenticationFailedException - 只是一般异常。
AZURE* 变量中定义的安全主体用于创建包括存储帐户在内的整个应用程序。
要管理存储帐户内的数据(如创建 table 等),您需要分配不同的权限集。 Owner 角色是一个 control-plane 角色,使您能够管理存储帐户本身,而不是其中的数据。
从这个link:
Only roles explicitly defined for data access permit a security principal to access blob data. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob data within that account via Azure AD.
虽然上面的文字是针对 Blob,但同样适用于表。
请将 Storage Table Data Contributor 分配给您的托管身份,这样您就不会收到此错误。