我在 Azure DevOps 管道中使用 SAS 令牌通过专用终结点访问 Azure Blob 存储时遇到问题。尽管正确配置了专用端点、SAS 令牌和管道,但当管道尝试执行读取和写入等 Blob 操作时,我还是遇到了 AuthorizationFailure 错误。错误信息:
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:70336d7b-201e-005c-179d-938271000000
Time:2024-04-21T03:36:35.5944080Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation. RequestId:70336d7b-201e-005c-179d-938271000000 Time:2024-04-21T03:36:35.5944080Z</Message></Error>
代码:
from azure.storage.blob import BlobServiceClient, generate_account_sas, ResourceTypes, AccountSasPermissions
from datetime import datetime, timedelta
import pandas as pd
from io import BytesIO
ACCOUNT_NAME = "****"
CONTAINER_NAME = "****"
account_url = f"https://{ACCOUNT_NAME}.blob.core.windows.net"
account_key = '****'
sas_token = generate_account_sas(
account_name=ACCOUNT_NAME,
account_key=account_key,
resource_types=ResourceTypes(container=True, object=True),
permission=AccountSasPermissions(read=True, write=True, list=True),
expiry=datetime.utcnow() + timedelta(hours=1)
)
我认为问题在于我的 Blob 是“私有”的,并且防火墙对每个人都屏蔽了。我有一个私有端点,但如何将其使用到 Azure Pipeline 中,可能吗?
如果要利用 Azure 管道中的专用终结点,则必须创建一个自托管代理,该代理连接到与 Blob 专用终结点相同的 VNET(或对等 vnet)。 Microsoft 托管代理根本无法访问专用端点。