Azure Blob 存储“授权权限不匹配"使用 AD 令牌获取请求时出错 [英] Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token

问题描述

我正在构建一个 Angular 6 应用程序，它将能够在 Azure Blob 存储上进行 CRUD 操作.但是，我使用邮递员测试请求，然后在应用程序中实现它们并复制粘贴我从 Angular 获得的用于该资源的令牌.

I am building an Angular 6 application that will be able to make CRUD operation on Azure Blob Storage. I'm however using postman to test requests before implementing them inside the app and copy-pasting the token that I get from Angular for that resource.

当尝试读取存储在存储中的文件以进行测试时，我得到:<Code>AuthorizationPermissionMismatch</Code><消息>此请求无权使用此权限执行此操作.

When trying to read a file that I have inside the storage for test purposes, I'm getting: <Code>AuthorizationPermissionMismatch</Code> <Message>This request is not authorized to perform this operation using this permission.

• 全部在生产环境中(虽然正在开发中)
• 通过 Oauth 专门为存储资源获取的令牌
• Postman 的代币策略为bearer"
• 应用程序已授予Azure 存储"委派权限.
• 应用程序和我获取令牌的帐户都在 azure 访问控制 IAM 中添加为所有者"
• 我的 IP 已添加到 Blob 存储的 CORS 设置中.
• StorageV2(通用 v2) - 标准 - 热
• 使用的 x-ms-version 标头是:2018-03-28，因为这是我能找到的最新版本，而且我刚刚创建了存储帐户.

• All in production environment (although developing)
• Token acquired specifically for storage resource via Oauth
• Postman has the token strategy as "bearer "
• Application has "Azure Storage" delegated permissions granted.
• Both the app and the account I'm acquiring the token are added as "owners" in azure access control IAM
• My IP is added to CORS settings on the blob storage.
• StorageV2 (general purpose v2) - Standard - Hot
• x-ms-version header used is: 2018-03-28 because that's the latest I could find and I just created the storage account.

推荐答案

我发现将应用和帐户添加为所有者是不够的.我会进入你的存储帐户 >IAM >添加角色分配，并为此类请求添加特殊权限:

I found it's not enough for the app and account to be added as owners. I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:

• 存储 Blob 数据贡献者
• 存储队列数据贡献者

这篇关于Azure Blob 存储“授权权限不匹配"使用 AD 令牌获取请求时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！