简体繁体 English

Azure DevOps 管道无法复制到 Azure 存储

[英]Azure DevOps pipeline cannot copy to Azure storage

原文 2020-06-05 12:00:47 8 1 azure/ azure-devops/ azure-active-directory/ azure-pipelines

I've got a pipeline that builds web artefacts and attempts to copy them to my Azure Storage using the Azure File Copy task provided in the Azure Pipelines. I've got a pipeline that builds web artefacts and attempts to copy them to my Azure Storage using the Azure File Copy task provided in the Azure Pipelines. I've been trying for the last 2 days to fix this 403 response, stating there is a permissions error.过去 2 天我一直在尝试修复此 403 响应，指出存在权限错误。

I have a service connection for this pipeline.我有这个管道的服务连接。
The service connection application registration has user_impersonation for Azure Storage in API Permissions服务连接应用注册有user_impersonation for Azure存储在API权限
The service connection application registration has 'Storage Blob Data Contributor' & 'Storage Blob Data Owner' for the target Storage Account, the Resource Group and the Subscription.服务连接应用程序注册具有目标存储帐户、资源组和订阅的“存储 Blob 数据参与者”和“存储 Blob 数据所有者”。

1 个解决方案

Since the storage account uses a Firewall and has IP range whitelisting enabled according to your comment , you should add the agent's IP address to the whitelist.由于存储帐户使用防火墙并根据您的评论启用了 IP 范围白名单，因此您应该将代理的 IP 地址添加到白名单中。

If you're running your own build agent, it's pretty straightforward.如果您正在运行自己的构建代理，这非常简单。
If you use Microsoft-hosted agent to run your jobs and you need the information about what IP addresses are used, see Microsoft-hosted agents Agent IP ranges .如果您使用 Microsoft 托管的代理来运行您的作业，并且您需要有关使用哪些 IP 地址的信息，请参阅Microsoft 托管的代理代理 IP 范围。

In some setups, you may need to know the range of IP addresses where agents are deployed.在某些设置中，您可能需要知道部署代理的 IP 地址范围。 For instance, if you need to grant the hosted agents access through a firewall, you may wish to restrict that access by IP address.例如，如果您需要通过防火墙授予托管代理访问权限，您可能希望通过 IP 地址限制该访问。 Because Azure DevOps uses the Azure global network, IP ranges vary over time.由于 Azure DevOps 使用 Azure 全球网络，IP 范围随时间变化。 We publish a weekly JSON file listing IP ranges for Azure datacenters, broken out by region.我们每周发布一份 JSON 文件，列出 Azure 数据中心的 IP 范围，按地区划分。 This file is published every Wednesday with new planned IP ranges.该文件每周三发布，包含新的计划 IP 范围。 The new IP ranges become effective the following Monday.新的 IP 范围将于下周一生效。 We recommend that you check back frequently to ensure you keep an up-to-date list.我们建议您经常检查以确保您保持最新列表。

Since there is no API in the Azure Management Libraries for .NET to list the regions for a geography, you must list them manually.由于 Azure 管理库中没有 API 用于 .NET 列出地理区域，因此您必须手动列出它们。

EDIT:编辑：
There's a closed (: - but still active) GitHub issue here: AzureDevops don't considerate as 'Microsoft Services'这里有一个关闭的（：-但仍然有效）GitHub 问题： AzureDevops 不考虑为“Microsoft 服务”

EDIT 2:编辑2：

Your hosted agents run in the same Azure geography as your organization.您的托管代理在与您的组织相同的 Azure 地理位置中运行。 Each geography contains one or more regions.每个地理包含一个或多个区域。 While your agent may run in the same region as your organization, it is not guaranteed to do so.虽然您的代理可能与您的组织在同一区域运行，但不能保证这样做。 To obtain the complete list of possible IP ranges for your agent, you must use the IP ranges from all of the regions that are contained in your geography .要为您的代理获取可能的 IP 范围的完整列表，您必须使用 geography 中包含的所有区域的 IP 范围。 For example, if your organization is located in the United States geography, you must use the IP ranges for all of the regions in that geography.例如，如果您的组织位于美国地理位置，则必须对该地理位置中的所有区域使用 IP 范围。

To determine your geography, navigate to https://dev.azure.com/<your_organization>/_settings/organizationOverview , get your region, and find the associated geography from the Azure geography table.要确定您的地理位置，请导航至https://dev.azure.com/<your_organization>/_settings/organizationOverview ，获取您所在的地区，然后从 Z3A580F142203677F53F 表中找到相关的地理位置。 Once you have identified your geography, use the IP ranges from the weekly file for all regions in that geography.一旦您确定了您的地理位置，请使用该地理位置中所有区域的每周文件中的 IP 范围。