Azure DevOps管道无法复制到Azure存储 [英] Azure DevOps pipeline cannot copy to Azure storage

问题描述

我有一个构建Web人工制品的管道，并尝试使用Azure Pipelines中提供的Azure File Copy任务将其复制到我的Azure存储中.最近2天，我一直在尝试修复此403响应，并指出存在权限错误.

I've got a pipeline that builds web artefacts and attempts to copy them to my Azure Storage using the Azure File Copy task provided in the Azure Pipelines. I've been trying for the last 2 days to fix this 403 response, stating there is a permissions error.

• 我为此管道有一个服务连接.
• 服务连接应用程序注册在API权限中具有用于Azure存储的user_impersonation
• 服务连接应用程序注册具有存储Blob数据贡献者"&目标存储帐户，资源组和订阅的存储Blob数据所有者".

推荐答案

由于存储帐户使用防火墙并且根据

Since the storage account uses a Firewall and has IP range whitelisting enabled according to your comment, you should add the agent's IP address to the whitelist.

• 如果您正在运行自己的构建代理，这非常简单.
• 如果您使用Microsoft托管的代理来运行作业，并且需要有关使用了哪些IP地址的信息，请参见

  在某些设置中，您可能需要了解部署代理的IP地址范围.例如，如果您需要授予托管代理通过防火墙的访问权限，则可能希望通过IP地址限制该访问权限.由于Azure DevOps使用Azure全球网络，因此IP范围会随时间变化.我们发布了每周JSON文件，其中列出了破碎的Azure数据中心的IP范围按地区划分.该文件在每个星期三以新的计划IP范围发布.新的IP范围在下周一生效.我们建议您经常进行检查，以确保保留最新列表.

  In some setups, you may need to know the range of IP addresses where agents are deployed. For instance, if you need to grant the hosted agents access through a firewall, you may wish to restrict that access by IP address. Because Azure DevOps uses the Azure global network, IP ranges vary over time. We publish a weekly JSON file listing IP ranges for Azure datacenters, broken out by region. This file is published every Wednesday with new planned IP ranges. The new IP ranges become effective the following Monday. We recommend that you check back frequently to ensure you keep an up-to-date list.

  由于Azure管理库中没有用于.NET的API来列出地理区域，因此您必须手动列出它们.

  Since there is no API in the Azure Management Libraries for .NET to list the regions for a geography, you must list them manually.

  
  此处存在一个已关闭的(！-但仍处于活动状态)GitHub问题: AzureDevops不认为是"Microsoft服务"

  您的托管代理在与您的组织相同的Azure地理环境中运行.每个地理区域都包含一个或多个区域.尽管您的代理可能与您的组织在同一地区运行，但不能保证这样做.要获取代理可能的IP范围的完整列表，您必须使用地理位置中包含的所有区域的IP范围.例如，如果您的组织位于美国地理区域内，则必须为该地理区域内的所有区域使用IP范围.

  Your hosted agents run in the same Azure geography as your organization. Each geography contains one or more regions. While your agent may run in the same region as your organization, it is not guaranteed to do so. To obtain the complete list of possible IP ranges for your agent, you must use the IP ranges from all of the regions that are contained in your geography. For example, if your organization is located in the United States geography, you must use the IP ranges for all of the regions in that geography.

  要确定您的地理位置，请导航至 https://dev.azure.com/<your_organization>/_settings/organizationOverview ，获取您的区域，然后从Azure地理表中找到相关的地理.确定地理位置后，将每周文件的IP范围用于该地理位置的所有区域.

  To determine your geography, navigate to https://dev.azure.com/<your_organization>/_settings/organizationOverview, get your region, and find the associated geography from the Azure geography table. Once you have identified your geography, use the IP ranges from the weekly file for all regions in that geography.

  这篇关于Azure DevOps管道无法复制到Azure存储的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！