我正在尝试将 Azure Blob 下载到 Windows 目标计算机。当我提到this question时,它显然无法直接下载。所以,我的目标区域是 Ansible 节点控制器,我打算使用复制功能移动到 Windows 目标机器。
我通过运行 python v3.12.3 和 azcollection v2.7.0 确保满足此模块的先决条件。我对这个角色的措辞如下:
- name: Download RDS Certificate
azure.azcollection.azure_rm_storageblob:
resource_group: "{{ resource_group }}"
storage_account_name: "{{ storage_account }}"
container: "{{ storage_container }}"
blob: "{{ cert_blob }}"
dest: "/tmp/{{ cert_blob }}"
auth_source: auto
subscription_id: "{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}"
client_id: "{{ lookup('env', 'AZURE_CLIENT_ID') }}"
secret: "{{ lookup('env', 'AZURE_SECRET') }}"
tenant: "{{ lookup('env', 'AZURE_TENANT') }}"
register: rds_certificate_downloaded
until: rds_certificate_downloaded is succeeded
retries: 2
delay: 10
ignore_errors: true #temporarily added
剧本上写着:
- name: Perform activities pertaining to other RDS activities
hosts: "localhost"
connection: local
roles:
- plt_engg/download-rds-certificate
tags:
- download-rds-certificate
我还确保使用的服务主体添加了贡献者和存储 Blob 数据贡献者 RBAC 角色。但无论我做什么,每次身份验证都会失败。有人有解决方法吗?
错误片段:
File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z</Message></Error>
fatal: [localhost]: FAILED! => {
"attempts": 2,
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 107, in <module>\n _ansiballz_main()\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', _modlib_path=modlib_path),\n File \"<frozen runpy>\", line 226, in run_module\n File \"<frozen runpy>\", line 98, in _run_module_code\n File \"<frozen runpy>\", line 88, in _run_code\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 682, in <module>\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 678, in main\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 290, in __init__\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 474, in __init__\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 305, in exec_module\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 440, in get_container\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/core/tracing/decorator.py\", line 76, in wrapper_use_tracer\n return func(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_container_client.py\", line 498, in get_container_properties\n process_storage_error(error)\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_shared/response_handlers.py\", line 181, in process_storage_error\n exec(\"raise error from None\") # pylint: disable=exec-used # nosec\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"<string>\", line 1, in <module>\nazure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z\nErrorCode:AuthorizationFailure\nContent: <?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z</Message></Error>\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
罪魁祸首是存储帐户网络。我将其限制为选定的网络,显然包含 ansible 节点控制器的 VNET 丢失了。
*Azure 门户 -> 存储帐户 -> 安全+网络 -> 防火墙和虚拟网络 -> 选中允许来自(所有网络/选定网络)的访问。
如果选中“从选定的虚拟网络和 IP 地址启用” - 这意味着存储帐户受到防火墙限制。*