Active Directory 从浏览器访问 Azure 存储
[英]Active Directory access Azure Storage from browser
问题描述
I want to use Azure Active Directory to allow users to read and write to Azure storage (specifically all Blobs and Tables ) from a single-page web app.
我想使用 Azure Active Directory 来允许用户从单页 Web 应用程序读取和写入 Azure 存储(特别是所有 Blob 和表)。
I started like this:我是这样开始的:
import { InteractiveBrowserCredential } from '@azure/identity';
import { TableClient, TableServiceClient } from '@azure/data-tables';
const credentials = new InteractiveBrowserCredential({
clientId: myAuthConfig.clientId,
tenantId: myAuthConfig.tenantId,
});
const client = new TableServiceClient(
`https://${myAuthConfig.storageAccountName}.table.core.windows.net`,
credentials
);
client.listTables().byPage().next().then(console.log);
This works totally fine!这完全正常! I can see all the tables on the account.我可以看到帐户上的所有表。 But then I wanted to list some of the data in on of the tables.但后来我想列出一些数据上的表。 So I did:所以我做了:
const client = new TableClient(
`https://${myAuthConfig.storageAccountName}.table.core.windows.net`,
'<table name>',
credentials
);
client.listEntities().byPage().next().then(console.log);
But this gives an error:但这给出了一个错误:
{
"odata.error": {
"code":"AuthorizationPermissionMismatch",
"message": {
"lang":"en-US",
"value":"This request is not authorized to perform this operation using this permission.\nRequestId:<uuid>\nTime:2021-10-28T18:04:00.0737419Z"
}
}
}
I'm very confused by this error.我对这个错误感到非常困惑。 As far as I can tell I've done everything right.据我所知,我所做的一切都是正确的。 I followed every tutorial.我遵循了每个教程。 I've set up active directory permissions for my app to use the storage API, my Microsoft account has permission to access the tables, OCRS is enabled, etc.我已经为我的应用程序设置了活动目录权限以使用存储 API,我的 Microsoft 帐户有权访问表,启用了 OCRS 等。
I'm not sure why I would have access to see a table but not see what's in it.我不知道为什么我可以看到一张桌子,但看不到里面有什么。 I tried to use InteractiveBrowserCredential.authenticate to explicitly set scopes like this:我尝试使用InteractiveBrowserCredential.authenticate显式设置如下范围:
const scopes = ["User.Read"]
credentials.authenticate(scopes).then(console.log);
It works fine for User.Read but I couldn't figure out what scopes corresponded to Storage read/write access.它适用于User.Read但我无法弄清楚存储读/写访问对应的范围。 If I added a scopy like "Microsoft.Storage" it told me that it didn't exist如果我添加了"Microsoft.Storage"之类的副本,它会告诉我它不存在
Has anyone got an error like this before?以前有人遇到过这样的错误吗? What am I supposed to do here?我应该在这里做什么?
1 个解决方案
解决方案1
1 已采纳 2021-10-29 06:59:26
Thank you @gaurav mantri ,Posting your suggestion in comment as an answer.谢谢@gaurav mantri,在评论中发布您的建议作为答案。
From error it looks like your service principal does not have access permission to your table storage data.从错误来看,您的服务主体似乎无权访问您的表存储数据。 You should either grant permission using a RBAC role on the storage account resource (add to storage account contributors or readers) as below.您应该使用 RBAC 角色对存储帐户资源(添加到存储帐户贡献者或读者)授予权限,如下所示。 Or use Storage Explorer to grant permission.或使用存储资源管理器授予权限。
In your storage account please check, if you have Storage Table Data Contributer /Storage table data reader roles assigned as commented by @gaurav mantri在您的存储帐户中,请检查您是否按照@gaurav mantri 的评论分配了存储表数据贡献者/存储表数据读取者角色
If not , you can add them go into your storage account > IAM > Add role assignment, and add the special permissions如果没有,您可以将它们添加到您的存储帐户 > IAM > 添加角色分配,并添加特殊权限
If roles are already assigned , the issue might be due to storage account being protected by firewall.如果已分配角色,则问题可能是由于存储帐户受防火墙保护。 Please try configure in Firewall and virtual networks of your storage account to add an existing virtual network or create a new vnet.If there is no issue you may allow access from all networks.请尝试在您的存储帐户的防火墙和虚拟网络中进行配置,以添加现有的虚拟网络或创建新的 vnet。如果没有问题,您可以允许从所有网络进行访问。
References:参考:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.