Managed Identity 连接到我无法直接访问的存储

huangapple go评论127阅读模式
英文:

Managed Identity connection to storage I have no direct access to

问题

情况:我有一个由 Blob 存储更改触发的 LogicApp。我已在我的 Azure 存储上进行了测试,对工作流感到满意,现在我想更改连接,使其再次由 Blob 存储的更改触发,但现在应该是客户端存储。我在 Azure 门户中进行此操作。

我拥有的值:

  • 订阅名称
  • 订阅 ID
  • 资源组名称
  • 存储名称
  • 容器名称

此外,我已与客户沟通,我的 LogicApp 与我的订阅已被授予对他们一侧的访问权限(我不知道访问权限是针对存储还是托管标识)。

另一件事——我在网上找到了关于如何为我的 LogicApp 创建托管标识的指南(身份->权限->Azure 角色分配->添加角色分配),然而,这在我的项目中不起作用,因为我无法访问此操作。

当尝试将托管标识连接添加到 Blob 触发器时,它只要求一个名称(如果我理解正确,这只是本地工作流的名称,可以是任何字符串),没有其他值。这让我好奇它是如何工作的?它从哪里获取正确的值,以便我可以连接到正确的目标?
(https://i.stack.imgur.com/2MgLM.png)

我尝试在参数部分的代码视图中玩耍,添加我拥有的客户端值,但仍然没有成功。我收到一个错误消息,说:“未能保存逻辑应用 LogicApp-Main。具有对象 ID 'My_Id-^^^-f275' 的客户端 'Me' 具有在范围 '/subscriptions/My_Subscription_Id-^^^-3a27/resourceGroups/My_rg_name/providers/Microsoft.Logic/workflows/LogicApp-Main' 上执行操作 'Microsoft.Logic/workflows/write' 的权限;但它无权在链接的范围 '/subscriptions/CLient_Subscription_Id-^^^-08da/resourceGroups/Client_rg_Name/providers/Microsoft.Web/connections/azureblob-1' 上执行操作 'join/action' 或链接的范围无效。”
(https://i.stack.imgur.com/vaIzC.png)

所以问题是:

  1. 我做错了什么?
  2. 如何实现我的目标?
英文:

Situation: I have a LogicApp that is triggered by changes in blob storage. I have tested it on my Azure storage, I am satisfied with the workflow and now I want to change the connection so that it is triggered again by changes in Blob storage, but now it should be client storage. I am using Azure Portal for this.

The values I do have:

  • subscription name
  • subscription id
  • resource group name
  • storage name
  • container name

Also, I have communicated with the client and my LogicApp with my subscription has been granted access to their side (I don't know if the access is for storage or for Managed Identity).
Another thing- I have found guides online on how to create Managed Identity for my LogicApp (Identity->Permissions->Azure role assignments->Add role assignment), however, this does not work on my side since I do not have access to this action within my project.

When trying to add a Managed Identity connection to the Blob trigger, it only asks for a name (which can be any string as it is only a name for a local workflow if I understand correctly) And no other values. This makes me curious how does it work? Where does it take the right values so I could connect to the right destination?
(https://i.stack.imgur.com/2MgLM.png)

I tried to play around in code view under parameters section by adding the client values I have, but still no luck. I get an error message saying: "Failed to save logic app LogicApp-Main. The client 'Me' with object id 'My_Id-^^^-f275' has permission to perform action 'Microsoft.Logic/workflows/write' on scope '/subscriptions/My_Subscription_Id-^^^-3a27/resourceGroups/My_rg_name/providers/Microsoft.Logic/workflows/LogicApp-Main'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/CLient_Subscription_Id-^^^-08da/resourceGroups/Client_rg_Name/providers/Microsoft.Web/connections/azureblob-1' or the linked scope(s) are invalid."
(https://i.stack.imgur.com/vaIzC.png)

So the question:

  1. What Am I doing wrong?
  2. How to achieve my goal?

答案1

得分: 0

如果您想更改到客户端存储的连接,那么您肯定需要从您这一侧或客户端那一侧获得所需的权限以建立连接。
因此,请确保客户端访问已经给予了您需要访问客户端 Blob 存储所需的权限。

  • 要更改连接,您可以使用下面显示的任一身份验证类型之一。
    Managed Identity 连接到我无法直接访问的存储

  • 您可以使用 Logic App 的托管标识类型,为此,您需要添加系统分配的托管标识,然后需要在 Logic App 中添加对客户端存储的角色分配。但正如您提到的,您没有权限添加角色,所以您可以与能够代表您添加该角色权限的人核实。

  • 如果您无法从您这一侧执行此操作,则可以从客户端这一侧请求存储账户访问密钥共享访问签名

  • 要建立连接,您可以使用访问密钥作为身份验证类型。然后,您只需要您的客户端存储账户名称和存储账户访问密钥。
    Managed Identity 连接到我无法直接访问的存储
    由于共享访问密钥不允许使用,您可以请求共享访问签名。
    Managed Identity 连接到我无法直接访问的存储

  • 如上图所示,SAS 在指定的时间段内为资源授予访问权限。因此,请与客户端核实,如果他们授予了访问权限,那么他们提供了什么类型的访问权限,以及这些权限是否足以建立连接。

  • 没有足够的权限,您无法建立连接,这就是您的问题,因此请查看共享访问密钥或SAS的可能性。

英文:

If you want to change connection to client storage, then you definitely need required permission either from your side or client side to establish connection.
So, make sure that the client access has been given has the permissions you need to access the client's blob storage.

  • To change connection, you can use any one of below shown authentication type.
    Managed Identity 连接到我无法直接访问的存储

  • You can use logic App managed identity type for that you need to add system assigned managed identity and then need to add role assignments in logic App to the client storage. But as you mentioned you don't have permission to add role so you can check with the one who can add that role permission on behalf you.

  • If your unable to do this from your side then do it from your client side by requesting for Either Storage account access key or Shared access signature.

  • To establish connection, you can use Access key as an authentication type. Then you only need your client Storage account name and storage account access key.
    Managed Identity 连接到我无法直接访问的存储
    As Sharing access key is not permittable then you can request for Share access signature.
    Managed Identity 连接到我无法直接访问的存储

  • As mentioned in above image SAS grant access to a resource for a specified period of time. So, once check with your client if they granted access what type of access they provided and are they enough permissions to establish connection.

  • With out enough permissions you can't establish the connection and that is your issue so check with the possibility of sharing Access key or SAS.

huangapple
  • 本文由 发表于 2023年3月8日 17:51:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/75671523.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定