如何授予对 Azure 中被防火墙锁定的存储帐户的访问权限

问题描述 投票:0回答:1

我的 Azure 帐户中有一个存储帐户,已通过“网络”部分下的“从选定的虚拟网络和 IP 地址启用”锁定。

我现在想向此存储帐户授予对另一个 Azure 帐户(不同租户)中托管的虚拟机的访问权限,该虚拟机没有配置公共 IP 或 NSG,以便它可以使用通过服务进行身份验证的脚本下载 blob主体和 azure.storage.blob python 模块。

我已经尝试查看退出到互联网的虚拟机的 IP,然后在存储帐户级别将该公共 IP 列入白名单,但仍然提示我出现以下错误:

Traceback (most recent call last):
  File "/tmp/blob_download.py", line 39, in <module>
    download_blob_file(
  File "/tmp/blob_download.py", line 25, in download_blob_file
    blob_contents = blob_client.download_blob().readall()
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_blob_client.py", line 851, in download_blob
    return StorageStreamDownloader(**options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_download.py", line 349, in __init__
    self._response = self._initial_request()
                     ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_download.py", line 429, in _initial_request
    process_storage_error(error)
  File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_shared/response_handlers.py", line 181, in process_storage_error
    exec("raise error from None")   # pylint: disable=exec-used # nosec
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:xxxxx
Time:2024-10-01T14:12:19.4117902Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:xxxx
Time:2024-10-01T14:12:19.4117902Z</Message></Error>

我想指出,在存储帐户上启用公共访问的情况下,下载工作正常 - 从所有网络启用,因此已经为 SP 配置了所有必需的权限:

  1. 存储帐户关键操作员服务角色
  2. 存储帐户级别的读取器
  3. 存储 Blob 数据读取器

SP 添加到存储帐户所在租户的 Entra ID 上。第二个帐户(在 VM 上进行下载尝试)正在使用此 SP 进行身份验证。

azure azure-storage-account
1个回答
0
投票

只能使用 CLI 授予访问权限:

az storage account network-rule add -g myRG --account myAccount --subnet mySubnetId
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.