使用 AKS 中的用户管理标识、Python SDK 时出现 AzureBlobStorage AuthorizationPermissionMismatch 错误

Question

我正在 AKS 中运行 Python 应用程序（作为作业，但并不重要），使用 Azure Python SDK 访问 blob 存储。我使用用户管理身份进行身份验证，ManagedIdentityCredential与client_idkwarg 一起使用（请参阅https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.drivenidentitycredential?view=azure-python）。它能够成功查询 IMDS 端点并获取令牌，但我仍然遇到错误。有人知道我可能缺少什么设置吗？

关于用户管理身份的整体文档很少，特别是与 AKS 和 blob 存储相关的文档，以及此错误。

成功获取 IMDS 令牌：

2021-01-26 05:26:05,944 - azure.core.pipeline.policies.http_logging_policy - INFO - Request URL: 'http://REDACTED/metadata/identity/oauth2/token?api-version=REDACTED&resource=REDACTED&client_id=REDACTED'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - Request method: 'GET'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - Request headers:
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Metadata': 'REDACTED'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO -     'User-Agent': 'azsdk-python-identity/1.5.0 Python/3.7.7 (Linux-4.15.0-1103-azure-x86_64-with-debian-9.12)'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - No body was attached to the request
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO - Response status: 200
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO - Response headers:
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Content-Type': 'application/json; charset=utf-8'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Server': 'IMDS/150.870.65.486'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Date': 'Tue, 26 Jan 2021 05:26:05 GMT'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Content-Length': '1760'
2021-01-26 05:26:05,957 - azure.identity._internal.decorators - INFO - ManagedIdentityCredential.get_token succeeded
2021-01-26 05:26:05,957 - azure.identity._credentials.chained - INFO - ChainedTokenCredential acquired a token from ManagedIdentityCredential

对 blob.core.windows.net/.... 的后续 API 调用错误：

  File "/usr/local/lib/python3.7/site-packages/azure/storage/blob/_blob_client.py", line 685, in upload_blob
    return upload_block_blob(**options)
  File "/usr/local/lib/python3.7/site-packages/azure/storage/blob/_upload_helpers.py", line 157, in upload_block_blob
    process_storage_error(error)
  File "/usr/local/lib/python3.7/site-packages/azure/storage/blob/_shared/response_handlers.py", line 150, in process_storage_error
    error.raise_with_traceback()
  File "/usr/local/lib/python3.7/site-packages/azure/core/exceptions.py", line 218, in raise_with_traceback
    raise super(AzureError, self).with_traceback(self.exc_traceback)
  File "/usr/local/lib/python3.7/site-packages/azure/storage/blob/_upload_helpers.py", line 105, in upload_block_blob
    **kwargs)
  File "/usr/local/lib/python3.7/site-packages/azure/storage/blob/_generated/operations/_block_blob_operations.py", line 233, in upload
    raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:defcc13f-101e-006c-6aa3-f321cb000000
Time:2021-01-26T05:26:06.0112926Z
ErrorCode:AuthorizationPermissionMismatch
Error:None

相关 Blob 存储资源具有对用户管理标识的角色分配，作为“此资源”的“贡献者”。

代码：

2021-01-26 05:26:05,944 - azure.core.pipeline.policies.http_logging_policy - INFO - Request URL: 'http://REDACTED/metadata/identity/oauth2/token?api-version=REDACTED&resource=REDACTED&client_id=REDACTED'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - Request method: 'GET'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - Request headers:
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Metadata': 'REDACTED'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO -     'User-Agent': 'azsdk-python-identity/1.5.0 Python/3.7.7 (Linux-4.15.0-1103-azure-x86_64-with-debian-9.12)'
2021-01-26 05:26:05,945 - azure.core.pipeline.policies.http_logging_policy - INFO - No body was attached to the request
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO - Response status: 200
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO - Response headers:
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Content-Type': 'application/json; charset=utf-8'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Server': 'IMDS/150.870.65.486'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Date': 'Tue, 26 Jan 2021 05:26:05 GMT'
2021-01-26 05:26:05,956 - azure.core.pipeline.policies.http_logging_policy - INFO -     'Content-Length': '1760'
2021-01-26 05:26:05,957 - azure.identity._internal.decorators - INFO - ManagedIdentityCredential.get_token succeeded
2021-01-26 05:26:05,957 - azure.identity._credentials.chained - INFO - ChainedTokenCredential acquired a token from ManagedIdentityCredential

版本：azure-identity 1.5、Python 3.7.7

我不确定我们的 AKS 集群是否已授予用户管理身份角色，并且我不确定这是否重要，或者还需要设置什么。

谢谢

Answer 1

事实证明，答案是必须分配 \xe2\x80\x9cStorage Blob Data Contributor\xe2\x80\x9d 和 \xe2\x80\x9cStorage Queue Data Contributor\xe2\x80\x9d 角色才能解决该问题。

\n