RBAC对Azure存储的访问-预览角色没有按预期方式运行 [英] RBAC access to Azure Storage - preview roles not acting as expected

问题描述

我正在尝试为我们的运营团队提供对包含日志文件的存储帐户的只读访问权限.我希望能够赋予他们枚举容器和读取blob的权利.理想情况下，这将是他们的访问范围.

I'm trying to give our operations team read-only access to a storage account containing log files. I'd like to be able to give them the right to enumerate containers and read blobs. Ideally that would be the extent of their access.

预览中有几个RBAC角色看起来很有希望:

There are a couple of RBAC roles in preview that looked promising:

• Storage Blob数据读取器(预览版)被描述为允许对Azure Storage Blobs容器和数据进行读取访问"，听起来与我所追求的完全一样
• 存储Blob数据贡献者(预览)听起来像对blob帐户的读/写

但是，这些角色都不适合我.操作组无法使用Azure Storage Explorer或Web检查Blob内容.看来角色没有提供对关键API的访问.

Neither of these roles worked for me, however. The operations group is unable to use Azure Storage Explorer or the web to examine blob contents. It looks like the roles don't provide access to the key APIs.

我想知道我希望做的事情与新的预览角色所提供的差距在哪里.我可以在不定义租户自定义角色的情况下完成此任务吗?

I'm wondering where the gap is between what I'm hoping to do and what the new preview roles offer. Can I accomplish this without defining custom roles in the tenant?

推荐答案

一件事是分配适当的RBAC角色，另一件事是使用它们的客户端应用程序.据我所知，大多数能够浏览存储帐户的应用程序仍仅使用密钥，并且在没有为用户分配足够特权的角色时显然会失败.

One thing is assigning proper RBAC roles and another is a client application making use of them. As far as I noticed most applications able to browse through Storage Accounts still use only the keys and obviously fail when the user is not assigned a role privileged enough.

但是，您可以通过Azure门户使用新的存储数据访问角色.这要求您同时分配Reader和Storage Blob Data Reader角色.用户必须首先输入第一个，才能在门户中看到存储帐户资源.需要后者来访问没有密钥的数据.

You can however use new storage data access roles by means of Azure Portal. This requires you to assign both Reader and Storage Blob Data Reader roles. The first one is required for the user to see the storage account resource in the Portal at all. The latter is required to access data without keys.

通过"Blob服务">"Blobs"菜单位置，用户将能够看到数据.不是Storage Explorer，后者仍然只能使用键.

Users will be able to see the data when going through the Blob service > Blobs menu position. Not the Storage Explorer, which still can use only keys.

您可以在存储帐户级别或特定容器上分配Storage Blob数据读取器，而且效果很好-用户只能访问特定容器.

You can assign Storage Blob Data Reader on the storage account level or on a particular container and this works just fine - users have access limited to a specific container.

您还需要等待一段时间，以使角色正确传播.该文档说了大约5分钟的内容，但根据我的简短观察，似乎可能会更长一些.

You also need to wait some time for the roles to propagate properly. The documentation says something about 5 minutes but from my short observation it seems it can be a bit longer.

这篇关于RBAC对Azure存储的访问-预览角色没有按预期方式运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！