[英]Connecting to Data Lake Gen 2 from Azure Function using Service Principal is throwing AuthorizationPermissionMismatch error
我正在嘗試使用為從 Azure Function(使用服務總線主題觸發器)訪問 Data Lake Gen 2 而創建的服務主體連接到 Data Lake Gen 2 帳戶(使用服務總線主題觸發器)此服務主體與 Z3A580F142203673F58 等服務正常工作。 但是,當我嘗試使用相同的服務主體從 Azure function 連接時,它會引發 AuthorizationPermissionMismatch 錯誤。
僅允許從 Azure Function 訪問數據湖的服務主體或托管標識。
我正在遵循以下 Microsoft 文檔頁面中提到的代碼:
我使用下面的 Python 示例作為參考,因為我沒有得到端到端 C# 示例:
https://docs.microsoft.com/en-us/azure/developer/python/tutorial-deploy-serverless-cloud-etl-05
function代碼如下:
using System;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host;
using Microsoft.Extensions.Logging;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System.Threading.Tasks;
using Azure.Storage.Files.DataLake;
using Azure.Storage.Files.DataLake.Models;
using System.Collections.Generic;
namespace FunctionApp1
{
public class Function1
{
[FunctionName("Function1")]
public async Task RunAsync([ServiceBusTrigger("service_bus_name", "subscription_name", Connection = "shared_access_key_connection_name")] string mySbMsg, ILogger log)
{
string accountName = "";
string clientID = "";
string clientSecret = "";
string tenantID = "";
var credential = new ClientSecretCredential(
tenantID, clientID, clientSecret, new TokenCredentialOptions());
string dfsUri = "https://" + accountName + ".dfs.core.windows.net";
DataLakeServiceClient dataLakeServiceClient = new DataLakeServiceClient(new Uri(dfsUri), credential);
string adls_fsys_name = "";
DataLakeFileSystemClient fileSystemClient = dataLakeServiceClient.GetFileSystemClient(adls_fsys_name);
await ListFilesInDirectory(fileSystemClient);
log.LogInformation($"C# ServiceBus topic trigger function processed message: {mySbMsg}");
}
public async Task ListFilesInDirectory(DataLakeFileSystemClient fileSystemClient)
{
string adls_dir_name = "";
IAsyncEnumerator<PathItem> enumerator =
fileSystemClient.GetPathsAsync(adls_dir_name).GetAsyncEnumerator();
await enumerator.MoveNextAsync();
PathItem item = enumerator.Current;
while (item != null)
{
Console.WriteLine(item.Name);
if (!await enumerator.MoveNextAsync())
{
break;
}
item = enumerator.Current;
}
}
}
}
我得到的錯誤是:
2022-09-08T15:27:19.792 [Error] Executed 'Function1' (Failed, Id=c8d7cc56-f8df-4d51-b9ff-254dbe9d39b6, Duration=1166ms)This request is not authorized to perform this operation using this permission.RequestId:2b1dba4b-501f-00b8-2f97-c3d425000000Time:2022-09-08T15:27:19.7122855ZStatus: 403 (This request is not authorized to perform this operation using this permission.)ErrorCode: AuthorizationPermissionMismatchContent:{"error":{"code":"AuthorizationPermissionMismatch","message":"This request is not authorized to perform this operation using this permission.\nRequestId:2b1dba4b-501f-00b8-2f97-c3d425000000\nTime:2022-09-08T15:27:19.7122855Z"}}Headers:Server: Windows-Azure-HDFS/1.0,Microsoft-HTTPAPI/2.0x-ms-error-code: AuthorizationPermissionMismatchx-ms-request-id: 2b1dba4b-501f-00b8-2f97-c3d425000000x-ms-version: 2021-08-06x-ms-client-request-id: 7bfa87f0-16ab-44e3-b4b3-84a62b1222c8Date: Thu, 08 Sep 2022 15:27:19 GMTContent-Length: 227Content-Type: application/json; charset=utf-8
狀態:403(此請求無權使用此權限執行此操作。)錯誤代碼:AuthorizationPermissionMismatchContent:{"error":{"code":"AuthorizationPermissionMismatch","message":"此請求無權執行此操作使用此權限。\nRequestId:2b1dba4b-501f-00b8-2f97-c3d425000000\nTime:2022-09-08T15:27:19.7122855Z"}}
出現上述 403 錯誤,您可能沒有對 azure function 授予適當的權限,並且您可能沒有在存儲數據湖 Gen 2 帳戶中分配角色。
出於服務主體身份驗證的目的,您需要在存儲帳戶中分配角色。
Azure 門戶 -> 存儲帳戶-> 訪問控制 (IAM)-> 添加角色分配-> 存儲 blob 參與者角色。
檢查存儲帳戶中的防火牆設置:
在網絡中,如果您是公開訪問,請啟用 select 所有網絡,或者如果您啟用了選定的網絡,請添加虛擬網絡。
參考: 在 Azure Data Lake Storage Gen2 - Azure 數據工廠和 Azure 中復制和轉換數據 微軟文檔
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.