我正在实现在 Azure Synapse 工作区中分配角色的逻辑。我有以下设置:
将资源部署到客户订阅的市场应用程序(已拒绝分配):
安装市场应用程序后,我将 C# 应用程序的映像推送到 ACR 并将其安装到 Azure 容器应用程序中。
该应用程序具有调用服务的端点,该服务更新 Azure Synapse 工作区中的角色分配。它有以下步骤
即使将托管身份设置为 Synapse 工作区的所有者,我每次都会收到 403 错误,并且应该能够分配 Synapse 管理员等角色
P.S 我尝试使用https://management.azure.com/.default和https://dev.azuresynapse.net/scopes
HTTP 客户端代码
public TokenCredential GetCredential(string tenantId = default)
{
if (string.IsNullOrEmpty(tenantId) is false)
{
return new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
TenantId = tenantId,
});
}
if (string.IsNullOrEmpty(EnvironmentVariables.ManagedIdentityClientId))
{
return new DefaultAzureCredential();
}
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = EnvironmentVariables.ManagedIdentityClientId,
TenantId = EnvironmentVariables.TenantId,
});
return credential;
}
private async Task<string> GetAccessTokenAsync(CancellationToken cancellationToken)
{
var credential = credentialProvider.GetCredential();
var tokenRequestContext = new TokenRequestContext(
scopes: new[] { "https://management.azure.com/.default" }
);
var tokenRequest = await credential.GetTokenAsync(tokenRequestContext, cancellationToken);
logger.LogInformation(tokenRequest.Token);
return tokenRequest.Token;
}
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
string roleId = "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78"; //Azure Synapse Administrator
var requestBody = new
{
roleId,
principalId = EnvironmentVariables.ManagedIdentityObjectPrincipalId,
scope = $"workspaces/{EnvironmentVariables.SynapseWorkspaceName}",
principalType = "ServicePrincipal"
};
var guid = Guid.NewGuid();
var jsonBody = JsonConvert.SerializeObject(requestBody);
var content = new StringContent(jsonBody, Encoding.UTF8, "application/json");
var url = $"https://{EnvironmentVariables.SynapseWorkspaceName}.dev.azuresynapse.net/roleAssignments/{guid}?api-version=2020-12-01";
var response = await httpClient.PutAsync(url, content, cancellationToken).ConfigureAwait(false);
if (response.IsSuccessStatusCode)
{
Console.WriteLine("Role assignment created successfully.");
}
RoleAssignments客户端代码
public TokenCredential GetCredential(string tenantId = default)
{
if (string.IsNullOrEmpty(tenantId) is false)
{
return new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
TenantId = tenantId,
});
}
if (string.IsNullOrEmpty(EnvironmentVariables.ManagedIdentityClientId))
{
return new DefaultAzureCredential();
}
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = EnvironmentVariables.ManagedIdentityClientId,
TenantId = EnvironmentVariables.TenantId,
});
return credential;
}
Guid principalId = new Guid(EnvironmentVariables.ManagedIdentityObjectPrincipalId);
Guid roleId = new Guid("6e4bf58a-b8e1-4cc3-bbf9-d73143322b78"); // Synapse Administrator
string endpointUrl = $"https://{EnvironmentVariables.SynapseWorkspaceName}.dev.azuresynapse.net";
var credential = credentialProvider.GetCredential();
var accessControlClient = new RoleAssignmentsClient(new Uri(endpointUrl), credential);
string roleAssignmentId = Guid.NewGuid().ToString();
string scope = $"workspaces/{EnvironmentVariables.SynapseWorkspaceName}";
var response = await accessControlClient.CreateRoleAssignmentAsync(
roleId: roleId,
principalId: principalId,
scope: scope,
roleAssignmentId: roleAssignmentId,
cancellationToken: cancellationToken);
我刚刚发现错误 403 是由默认拒绝托管应用程序上所有权限的分配引起的。更新技术配置并添加 Microsoft.Synapse/workspaces/administrators/write 以绕过拒绝默认拒绝分配后,应用程序不再收到 403 错误:)