如何启用存储帐户列表的AAD身份验证?

huangapple go评论79阅读模式
英文:

How to enable AAD authentication for storage account listing?

问题

I'm following this tutorial for listing all of the storage accounts in my subscription. Previously I used Microsoft.Azure.Management.Fluent but this is now deprecated so that's the reason for switching to the new approach suggested by Microsoft. I had no issues with Microsoft.Azure.Management.Fluent but now I can't authenticate against my DefaultAzureCredential that is later on used as an input of ArmClient. I have my Managed Identity switched ON for my App Service that contains the code that calls the function for listing storage accounts but still doesn't work. I spent my last two days in searching for the right permissions and how to set them but failed. Has someone used this functionality in the cloud and what did you do to make it work?

英文:

I'm following this tutorial for listing all of the storage accounts in my subscription. Previously I used Microsoft.Azure.Management.Fluent but this is now deprecated so that's the reason for switching to the new approach suggested by Microsoft. I had no issues with Microsoft.Azure.Management.Fluent but now I can't authenticate against my DefaultAzureCredential that is later on used as an input of ArmClient. I have my Managed Identity switched ON for my App Service that contains the code that calls the function for listing storage accounts but still doesn't work. I spent my last two days in searching for the right permissions and how to set them but failed. Has someone used this functionality in cloud and what did you do to make it work?

答案1

得分: 1

以下是您要的中文翻译部分:

我尝试在我的环境中复制相同的操作,并获得以下结果:

我创建了一个具有相同代码的 Web 应用程序,并成功将其发布到 Azure,如下所示:

如何启用存储帐户列表的AAD身份验证?

当我检查了 Portal 时,在 Azure Web 应用程序中创建了一个与以下相同名称的 WebJob:

如何启用存储帐户列表的AAD身份验证?

现在,我通过单击 "运行" 运行了上述 WebJob,状态更改为 正在运行,如下所示:

如何启用存储帐户列表的AAD身份验证?

当我从上面的屏幕检查 日志 选项卡时,我得到了响应中的 AuthorizationFailed 错误,如下所示:

如何启用存储帐户列表的AAD身份验证?

请注意,DefaultAzureCredential 将根据您的应用程序配置自动检测身份验证方法。如果您启用了系统管理的身份验证,确保为其分配适当的 RBAC 角色

要在订阅中列出存储帐户,您可以为订阅下的 托管标识 分配 Storage Blob Data ReaderReader 角色,如下所示:

进入 Azure 门户 -> 应用服务 -> 您的应用服务 -> 身份 -> Azure 角色分配

如何启用存储帐户列表的AAD身份验证?

我选择了 Storage Blob Data Reader 角色,并将范围设置为 订阅,如下所示:

如何启用存储帐户列表的AAD身份验证?

几分钟后,成功将角色分配给了 托管标识,如下所示:

如何启用存储帐户列表的AAD身份验证?

现在我运行 WebJob,得到了带有 Succeeded 消息的 响应,如下所示:

如何启用存储帐户列表的AAD身份验证?

要在本地环境通过 Visual Studio 运行相同的代码,请使用 DefaultAzureCredential 作为身份验证方法登录 有效 用户帐户。

在我的情况下,我运行了 az login 命令,并使用 admin 帐户登录,如下所示:

如何启用存储帐户列表的AAD身份验证?

现在,我运行相同的代码以列出存储帐户,成功地获取了资源 ID 的响应,如下所示:

using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.Storage;

TokenCredential cred = new DefaultAzureCredential();

ArmClient client = new ArmClient(cred);

string subscriptionId = "9c80bd38-bcc9-4ccb-8afe-xxxxxxxxxx";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);

await foreach (StorageAccountResource item in subscriptionResource.GetStorageAccountsAsync())
{

    StorageAccountData resourceData = item.Data;
    // for demo we just print out the id
    Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}

Console.WriteLine($"Succeeded");

响应:

如何启用存储帐户列表的AAD身份验证?

参考:
如何使用 Azure 服务进行 .NET 应用程序身份验证 | Microsoft

英文:

I tried to reproduce to the same in my environment and got below results:

I created one web application with same code and published it to Azure successfully like below:

如何启用存储帐户列表的AAD身份验证?

When I checked Portal, webjob created in Azure Web App with same name as below:

如何启用存储帐户列表的AAD身份验证?

Now, I ran the above webjob by clicking Run where state changed to Running like below:

如何启用存储帐户列表的AAD身份验证?

When I checked Logs tab from above screen, I got AuthorizationFailed error in response like this:

如何启用存储帐户列表的AAD身份验证?

> Note that, DefaultAzureCredential will automatically detect
> authentication method based on your app's configuration. If you
> enabled system-managed identity, make sure to assign proper RBAC role to it.

To list storage accounts in subscription, you can assign Storage Blob Data Reader or Reader role to managed identity under subscription like this:

Go to Azure Portal -> App Services -> Your App Service -> Identity -> Azure role assignments

如何启用存储帐户列表的AAD身份验证?

I selected Storage Blob Data Reader role with Subscription as scope like below:

如何启用存储帐户列表的AAD身份验证?

After few minutes, role assigned successfully to managed identity like this:

如何启用存储帐户列表的AAD身份验证?

When I ran webjob now, I got response with Succeeded message like below:

如何启用存储帐户列表的AAD身份验证?

To run the same code from local environment via Visual Studio, sign in with valid user account that is used by DefaultAzureCredential as authentication method.

In my case, I ran az login command and signed in with admin account like this:

如何启用存储帐户列表的AAD身份验证?

When I ran same code now to list storage accounts, I got response with resource id successfully like below:

using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.Storage;

TokenCredential cred = new DefaultAzureCredential();

ArmClient client = new ArmClient(cred);

string subscriptionId = "9c80bd38-bcc9-4ccb-8afe-xxxxxxxxxx";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);

await foreach (StorageAccountResource item in subscriptionResource.GetStorageAccountsAsync())
{

    StorageAccountData resourceData = item.Data;
    // for demo we just print out the id
    Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}

Console.WriteLine($"Succeeded");

Response:

如何启用存储帐户列表的AAD身份验证?

Reference:
How to authenticate .NET applications with Azure services | Microsoft

huangapple
  • 本文由 发表于 2023年3月7日 17:09:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/75659937.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定