访问 azure 表时出现 403
[英]403 while access an azure table
问题描述
I'm trying to read and write over a newly created azure table, but I kept getting 403 errors.
我正在尝试读取和写入新创建的 azure 表,但我一直收到 403 错误。 I'm using the same account that I used to create the table.我使用的是用于创建表格的同一帐户。 I also added the account to the contributors group.我还将该帐户添加到贡献者组。 I've tested multiple scopes thinking does might be the issue, such as:我已经测试了多个范围,认为确实可能是问题所在,例如:
- https://storage.azure.com/user_impersonation https://storage.azure.com/user_impersonation
- https://storage.azure.com/.default https://storage.azure.com/.default
- https://osnapdbexamsonthecloud.table.core.windows.net/.default https://osnapdbexamsonthecloud.table.core.windows.net/.default
- https://osnapdbexamsonthecloud.table.core.windows.net/user_impersonation https://osnapdbexamsonthecloud.table.core.windows.net/user_impersonation
but always got the same error但总是得到同样的错误
Here is the requeset I'm sending:这是我发送的请求:
PUT https://osnapdbexamsonthecloud.table.core.windows.net/exams(PartitionKey='Osnap',RowKey='test')
Accept: application/json;odata=fullmetadata
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
authorization: Bearer CENSORED
Connection: keep-alive
Content-Length: 27
content-type: application/json
Host: osnapdbexamsonthecloud.table.core.windows.net
Origin: http://localhost:3000
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
x-ms-version: 2019-02-02
{"id":"test","temp":"test"}
And this is the response I get with status code 403:这是我得到的状态码 403 的响应:
{"odata.error":{"code":"AuthorizationPermissionMismatch","message":{"lang":"en-US","value":"This request is not authorized to perform this operation using this permission.\nRequestId:b3310a10-b002-0026-5cf5-3364d8000000\nTime:2023-01-29T15:22:15.9056626Z"}}}
Do you have any idea what I'm doing wrong?你知道我做错了什么吗?
1 个解决方案
解决方案1
0 2023-01-30 06:28:21
I agree with @Gaurav Mantri , you need to assign Storage Table Data Contributor role to your Service Principal on that storage account.
I tried to reproduce the same in my environment and got the below results:我试图在我的环境中重现相同的内容并得到以下结果:
I have one storage account in which I created a table named exams like below:我有一个存储帐户,我在其中创建了一个名为exams的表,如下所示:
Now, I generated an access token via Postman with the below parameters:现在,我使用以下参数通过 Postman 生成了一个访问令牌:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id: <appID>
client_secret: <secret>
grant_type:client_credentials
scope: https://storage.azure.com/.default
Response:回复:
When I used the above token to perform the below operation, I got same error as you like this:当我使用上面的令牌执行以下操作时,我得到了和你一样的错误:
PUT https://sristorage30.table.core.windows.net/exams(PartitionKey='sri',RowKey='test')
Authorization: Bearer <token>
x-ms-version: 2019-02-02
{
"id":"test",
"temp":"test"
}
Response:回复:
To resolve the error, try assigning Storage Table Data Contributor role to your service principal that can be your user account or Azure AD application.要解决该错误,请尝试将Storage Table Data Contributor角色分配给您的服务主体,该主体可以是您的用户帐户或 Azure AD 应用程序。
In my case, I assigned that role to the service principal of App type like below:就我而言,我将该角色分配给App类型的服务主体,如下所示:
Go to Azure Portal -> Storage accounts -> Your storage account -> Access control (IAM) -> Add role assignment Go 到 Azure 传送门 -> 存储账户 -> 你的存储账户 -> 访问控制 (IAM) -> 添加角色分配
If you are performing the operation from your user account , assign that role to the service principal of User type like below:如果您从您的用户帐户执行操作,请将该角色分配给User类型的服务主体,如下所示:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.