当我发出以下命令时:
az storage entity query --account-name acc1 --table-name table1
我成功地获得了以下警告的查询结果:
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
You also can add `--auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
为了避免上述警告,我在命令中添加了--auth-mode login:
az storage entity query --account-name acc1 --table-name table1 --auth-mode login
然后我得到这个错误:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
我的帐户可以在没有--auth-mode login开关的情况下获得查询结果。为什么它无法通过交换机的授权?
当您没有指定身份验证类型时,它会尝试获取存储帐户的访问密钥:这需要Microsoft.Storage/storageAccounts/listkeys/action权限。如果您在存储帐户中具有贡献者角色,则您具有所需的权限。
--auth-mode login意味着它将使用AAD身份验证来连接到存储器。您可以使用内置角色访问存储(请参阅文档(:
- 存储表数据贡献者
- 存储表数据读取器
使用AAD Auth时,还可以禁用访问密钥身份验证。
有一篇关于RBAC管理和数据平面模型的好文章:为访问blob数据分配Azure角色。