如何授予函数应用对 Azure 存储帐户的访问权限?

huangapple go评论64阅读模式
英文:

How do I grant a Function App access to an Azure Storage Account?

问题

如何为Function App授予对Azure存储账户的访问权限?

Azure存储表:

以下代码尝试访问Azure存储表:

let storageAccount   = CloudStorageAccount.Parse connectionString
let cloudTableClient = storageAccount.CreateCloudTableClient()
let cloudTable       = cloudTableClient.GetTableReference(tableName);

// ** 下面一行抛出异常 **
let! exists = cloudTable.ExistsAsync() |> Async.AwaitTask

异常:

意外的响应代码,期望:OK或NotFound,接收到:Forbidden

思考:

我认为我需要为Function App添加权限:Storage Data Table Contributor。

步骤:

  1. 在Azure门户中,导航到存在安全问题的Function App
  2. 在导航窗格中选择“访问控制(IAM)”
  3. 在页面上选择“角色分配”选项卡
  4. 点击“添加”按钮
  5. 尝试输入“Storage Data Table Contributor”

注意:“Storage Data Table Contributor”没有找到。

结论:

总之,我不知道如何解决Function App的安全访问异常,该异常似乎未被授权访问Azure存储表。

英文:

How do I grant a Function App access to an Azure Storage Account?

Context:

I do not know how to resolve the security access exception for a Function App that does not appear to be authorized to access an Azure Storage Table.

Currently the Access Control role assignments for the Function App are set to Contributor and Reader.

My hypothesis is that the Function App needs to have a Storage Data Table Contributor role assigned to it.

Azure Storage Table:

The following code attempts to access an Azure Storage Table:

let storageAccount   = CloudStorageAccount.Parse connectionString
let cloudTableClient = storageAccount.CreateCloudTableClient()
let cloudTable       = cloudTableClient.GetTableReference(tableName);

// ** EXCEPTION THROWN ON LINE BELOW **
let! exists = cloudTable.ExistsAsync() |> Async.AwaitTask

Exception:

Unexpected response code, Expected:OK or NotFound, Received:Forbidden

Thoughts:

I thought I needed to add the Function App permission: Storage Data Table Contributor.

Steps:

  1. In Azure Portal, navigate to the Function App that is observing the security issue
  2. Select Access Control (IAM) in Navigation pane
  3. Select Role Assignments tab on page
  4. Click Add button
  5. Attempt to enter "Storage Data Table Contributor"

Note that "Storage Data Table Contributor" is not found.

Conclusion:

In conclusion, I do not know how to resolve the security access exception for a Function App that does not appear to be authorized to access an Azure Storage Table.

References:

https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access

https://learn.microsoft.com/en-us/azure/storage/tables/authorize-access-azure-active-directory

https://stackoverflow.com/questions/73971321/azure-function-app-read-write-to-table-storage-invalidauthenticationinfoconten

答案1

得分: 1

以下是您需要执行的步骤:

  1. 为您的Azure函数创建一个系统分配的托管标识。
  2. 现在前往您的存储帐户,然后为您在步骤1中创建的托管标识分配“Storage Data Table Contributor”角色。

您可能会发现这个教程有帮助:https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal。

英文:

Here's what you would need to do:

  1. Create a system assigned managed identity for your Azure Function.
  2. Now go to your Storage account and then assign Storage Data Table Contributor role to the managed identity you created in step 1.

You may find this tutorial helpful: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal.

答案2

得分: 0

在表存储上,您需要设置角色分配,而不是在函数上。

在函数上,您需要启用托管标识。这是您需要授予对表存储的访问权限的对象。

英文:

You need to set the role assignment on the Table storage, not on the Function.

On the Function you need to enable Managed Identity. That is the object you need to grant access to on the Table storage.

huangapple
  • 本文由 发表于 2023年3月9日 23:42:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/75686897.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定