当我发出以下命令时:
az 存储实体查询 --account-name acc1 --table-name table1
我成功获取查询结果,但出现以下警告:
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
You also can add `--auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
为了避免上述警告,我将 --auth-mode login 添加到命令中:
az 存储实体查询 --account-name acc1 --table-name table1 --auth-mode login
然后我收到此错误:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
我的账户无需--auth-mode login开关即可获取查询结果。为什么交换机授权失败?
最佳答案
当您不指定身份验证类型时,它将尝试获取存储帐户的访问 key :
这需要Microsoft.Storage/storageAccounts/listkeys/action允许。如果您具有存储帐户的贡献者角色,则您拥有所需的权限。
--auth-mode login意味着它将使用 AAD 身份验证连接到存储。您可以使用内置角色来访问存储(请参阅 documentation ):
- 存储表数据贡献者
- 存储表数据读取器
使用 AAD Auth 时,您还可以禁用访问 key 身份验证。
有一篇关于 RBAC 管理和数据平面模型的好文章: Assign an Azure role for access to blob data .
关于azure - 使用 az 存储实体查询时出现不一致的授权警告和错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74075195/