英文:
How to enable AAD authentication for storage account listing?
问题
I'm following this tutorial for listing all of the storage accounts in my subscription. Previously I used Microsoft.Azure.Management.Fluent but this is now deprecated so that's the reason for switching to the new approach suggested by Microsoft. I had no issues with Microsoft.Azure.Management.Fluent but now I can't authenticate against my DefaultAzureCredential that is later on used as an input of ArmClient. I have my Managed Identity switched ON for my App Service that contains the code that calls the function for listing storage accounts but still doesn't work. I spent my last two days in searching for the right permissions and how to set them but failed. Has someone used this functionality in the cloud and what did you do to make it work?
英文:
I'm following this tutorial for listing all of the storage accounts in my subscription. Previously I used Microsoft.Azure.Management.Fluent but this is now deprecated so that's the reason for switching to the new approach suggested by Microsoft. I had no issues with Microsoft.Azure.Management.Fluent but now I can't authenticate against my DefaultAzureCredential that is later on used as an input of ArmClient. I have my Managed Identity switched ON for my App Service that contains the code that calls the function for listing storage accounts but still doesn't work. I spent my last two days in searching for the right permissions and how to set them but failed. Has someone used this functionality in cloud and what did you do to make it work?
答案1
得分: 1
以下是您要的中文翻译部分:
我尝试在我的环境中复制相同的操作,并获得以下结果:
我创建了一个具有相同代码的 Web 应用程序,并成功将其发布到 Azure,如下所示:
当我检查了 Portal 时,在 Azure Web 应用程序中创建了一个与以下相同名称的 WebJob:
现在,我通过单击 "运行" 运行了上述 WebJob,状态更改为 正在运行,如下所示:
当我从上面的屏幕检查 日志 选项卡时,我得到了响应中的 AuthorizationFailed 错误,如下所示:
请注意,
DefaultAzureCredential将根据您的应用程序配置自动检测身份验证方法。如果您启用了系统管理的身份验证,确保为其分配适当的 RBAC 角色。
要在订阅中列出存储帐户,您可以为订阅下的 托管标识 分配 Storage Blob Data Reader 或 Reader 角色,如下所示:
进入 Azure 门户 -> 应用服务 -> 您的应用服务 -> 身份 -> Azure 角色分配
我选择了 Storage Blob Data Reader 角色,并将范围设置为 订阅,如下所示:
几分钟后,成功将角色分配给了 托管标识,如下所示:
现在我运行 WebJob,得到了带有 Succeeded 消息的 响应,如下所示:
要在本地环境通过 Visual Studio 运行相同的代码,请使用 DefaultAzureCredential 作为身份验证方法登录 有效 用户帐户。
在我的情况下,我运行了 az login 命令,并使用 admin 帐户登录,如下所示:
现在,我运行相同的代码以列出存储帐户,成功地获取了资源 ID 的响应,如下所示:
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.Storage;
TokenCredential cred = new DefaultAzureCredential();
ArmClient client = new ArmClient(cred);
string subscriptionId = "9c80bd38-bcc9-4ccb-8afe-xxxxxxxxxx";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
await foreach (StorageAccountResource item in subscriptionResource.GetStorageAccountsAsync())
{
StorageAccountData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
响应:
参考:
如何使用 Azure 服务进行 .NET 应用程序身份验证 | Microsoft
英文:
I tried to reproduce to the same in my environment and got below results:
I created one web application with same code and published it to Azure successfully like below:
When I checked Portal, webjob created in Azure Web App with same name as below:
Now, I ran the above webjob by clicking Run where state changed to Running like below:
When I checked Logs tab from above screen, I got AuthorizationFailed error in response like this:
> Note that, DefaultAzureCredential will automatically detect
> authentication method based on your app's configuration. If you
> enabled system-managed identity, make sure to assign proper RBAC role to it.
To list storage accounts in subscription, you can assign Storage Blob Data Reader or Reader role to managed identity under subscription like this:
Go to Azure Portal -> App Services -> Your App Service -> Identity -> Azure role assignments
I selected Storage Blob Data Reader role with Subscription as scope like below:
After few minutes, role assigned successfully to managed identity like this:
When I ran webjob now, I got response with Succeeded message like below:
To run the same code from local environment via Visual Studio, sign in with valid user account that is used by DefaultAzureCredential as authentication method.
In my case, I ran az login command and signed in with admin account like this:
When I ran same code now to list storage accounts, I got response with resource id successfully like below:
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.Storage;
TokenCredential cred = new DefaultAzureCredential();
ArmClient client = new ArmClient(cred);
string subscriptionId = "9c80bd38-bcc9-4ccb-8afe-xxxxxxxxxx";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
await foreach (StorageAccountResource item in subscriptionResource.GetStorageAccountsAsync())
{
StorageAccountData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
Response:
Reference:
How to authenticate .NET applications with Azure services | Microsoft
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论