英文:
How do I grant a Function App access to an Azure Storage Account?
问题
如何为Function App授予对Azure存储账户的访问权限?
Azure存储表:
以下代码尝试访问Azure存储表:
let storageAccount = CloudStorageAccount.Parse connectionString
let cloudTableClient = storageAccount.CreateCloudTableClient()
let cloudTable = cloudTableClient.GetTableReference(tableName);
// ** 下面一行抛出异常 **
let! exists = cloudTable.ExistsAsync() |> Async.AwaitTask
异常:
意外的响应代码,期望:OK或NotFound,接收到:Forbidden
思考:
我认为我需要为Function App添加权限:Storage Data Table Contributor。
步骤:
- 在Azure门户中,导航到存在安全问题的Function App
- 在导航窗格中选择“访问控制(IAM)”
- 在页面上选择“角色分配”选项卡
- 点击“添加”按钮
- 尝试输入“Storage Data Table Contributor”
注意:“Storage Data Table Contributor”没有找到。
结论:
总之,我不知道如何解决Function App的安全访问异常,该异常似乎未被授权访问Azure存储表。
英文:
How do I grant a Function App access to an Azure Storage Account?
Context:
I do not know how to resolve the security access exception for a Function App that does not appear to be authorized to access an Azure Storage Table.
Currently the Access Control role assignments for the Function App are set to Contributor and Reader.
My hypothesis is that the Function App needs to have a Storage Data Table Contributor role assigned to it.
Azure Storage Table:
The following code attempts to access an Azure Storage Table:
let storageAccount = CloudStorageAccount.Parse connectionString
let cloudTableClient = storageAccount.CreateCloudTableClient()
let cloudTable = cloudTableClient.GetTableReference(tableName);
// ** EXCEPTION THROWN ON LINE BELOW **
let! exists = cloudTable.ExistsAsync() |> Async.AwaitTask
Exception:
Unexpected response code, Expected:OK or NotFound, Received:Forbidden
Thoughts:
I thought I needed to add the Function App permission: Storage Data Table Contributor.
Steps:
- In Azure Portal, navigate to the Function App that is observing the security issue
- Select Access Control (IAM) in Navigation pane
- Select Role Assignments tab on page
- Click Add button
- Attempt to enter "Storage Data Table Contributor"
Note that "Storage Data Table Contributor" is not found.
Conclusion:
In conclusion, I do not know how to resolve the security access exception for a Function App that does not appear to be authorized to access an Azure Storage Table.
References:
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access
https://learn.microsoft.com/en-us/azure/storage/tables/authorize-access-azure-active-directory
答案1
得分: 1
以下是您需要执行的步骤:
- 为您的Azure函数创建一个系统分配的托管标识。
- 现在前往您的存储帐户,然后为您在步骤1中创建的托管标识分配“Storage Data Table Contributor”角色。
您可能会发现这个教程有帮助:https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal。
英文:
Here's what you would need to do:
- Create a system assigned managed identity for your Azure Function.
- Now go to your Storage account and then assign
Storage Data Table Contributor
role to the managed identity you created in step 1.
You may find this tutorial helpful: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal.
答案2
得分: 0
在表存储上,您需要设置角色分配,而不是在函数上。
在函数上,您需要启用托管标识。这是您需要授予对表存储的访问权限的对象。
英文:
You need to set the role assignment on the Table storage, not on the Function.
On the Function you need to enable Managed Identity. That is the object you need to grant access to on the Table storage.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论