我想在 blob 存储中添加某些文件时触发操作。
我在逻辑应用程序中创建了身份,并为该身份创建了存储贡献者角色
我已在逻辑应用程序中创建了系统分配的托管身份,并且我还为此身份分配了 存储贡献者 角色。
它会抛出错误。
{
"statusCode": 403,
"headers": {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Set-Cookie": "ARRAffinity=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net,ARRAffinitySameSite=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;SameSite=None;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "2aced241-f6fc-4048-bb0f-9308f689cef8",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"x-ms-connection-parameter-set-name": "managedIdentityAuth",
"Timing-Allow-Origin": "*",
"x-ms-apihub-cached-response": "false",
"x-ms-apihub-obo": "false",
"Date": "Thu, 22 Feb 2024 19:16:56 GMT",
"Content-Length": "358",
"Content-Type": "application/json",
"Expires": "-1"
},
"body": {
"status": 403,
"message": "This request is not authorized to perform this operation using this permission.\r\nclientRequestId: 2aced241-f6fc-4048-bb0f-9308f689cef8",
"error": {
"message": "This request is not authorized to perform this operation using this permission."
},
"source": "azureblob-wus.azconn-wus-001.p.azurewebsites.net"
}
}
我的存储帐户在网络中具有“从所有网络启用”。
这两个资源都是使用 相同的资源组
创建的这种情况发生在什么类型的逻辑应用程序中? 消费(传送门)
工作流程 JSON
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p>New loan Files are ready to be processed <br>\n<br>\n@{triggerBody()}</p>",
"Importance": "Normal",
"Subject": "New loan Files are ready to be processed ",
"To": "[email protected]"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_blob_is_added_or_modified_(properties_only)_(V2)": {
"evaluatedRecurrence": {
"frequency": "Minute",
"interval": 1
},
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('sbjifitistorageaccount'))}/triggers/batch/onupdatedfile",
"queries": {
"checkBothCreatedAndModifiedDateTime": false,
"folderId": "JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk",
"maxFileCount": 10
}
},
"metadata": {
"JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk": "/sb-jifiti-unprocessed"
},
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "@triggerBody()",
"type": "ApiConnection"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/azureblob-3",
"connectionName": "azureblob-3",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/azureblob"
},
"office365": {
"connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/office365-1",
"connectionName": "office365-1",
"id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/office365"
}
}
}
}
}
浏览器 铬
您遇到的错误消息表明该请求无权使用提供的权限执行操作。当访问权限配置错误或逻辑应用未正确进行身份验证以访问 Blob 存储时,通常会发生这种情况。您可以采取以下一些步骤来排除故障并解决问题:验证托管标识配置:仔细检查逻辑应用中系统分配的托管标识已正确配置,并且已分配必要的权限。确保托管标识已被授予存储 Blob 数据贡献者角色或包含访问 Blob 存储所需权限的自定义角色。检查存储帐户访问:验证托管标识是否已被授予对正在监视文件添加的 Blob 存储帐户的访问权限。确保在逻辑应用的配置中指定了正确的存储帐户名称和资源组。查看逻辑应用配置:双-检查逻辑应用的配置,确保其正确配置为在将文件添加到 Blob 存储时触发。验证是否使用托管身份验证方法配置了与 Blob 存储的连接。测试访问权限:使用工具像 Azure 存储资源管理器或 Azure CLI 一样,验证托管标识是否可以访问 Blob 存储并执行必要的操作(例如,列出容器、读取文件)。如果托管标识遇到权限问题,请检查分配给托管标识的 Azure RBAC 角色检查 Azure AD 身份验证:确保逻辑应用配置为使用正确的 Azure AD 身份验证方法(例如托管身份),并且身份验证令牌已正确生成并用于访问blob 存储。查看 Azure Monitor 日志:检查 Azure Monitor 日志中是否有任何其他信息或错误消息,这些信息或错误消息可能会深入了解授权失败的原因。查找与逻辑应用或 blob 存储相关的任何审核日志或诊断日志,这些日志可能会导致授权失败。帮助确定问题的根本原因。通过仔细检查和验证托管身份配置、存储帐户访问、逻辑应用配置和身份验证机制,您应该能够排查并解决授权问题。如果问题仍然存在,请考虑联系 Azure 支持以获得进一步帮助。