我尝试编写对Azure Data Lake gen2的授予角色的脚本。将其添加到服务帐户中没问题:
$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'
$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
问题是我想获得容器级别的最高权限-而不是服务帐户级别。上面的脚本在容器级别生成: 父资源(继承) ,但需要的是: 此资源 。< / p>
我可以通过门户网站完成此操作,但对我的情况而言不是有效的解决方案。
答案 0 :(得分:1)
如果要获得容器级别的大权限,请参考以下脚本
Connect-AzAccount
$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName
$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>
$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"
$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
此外,请注意,如果要使用AD身份验证访问Azure Blob,则需要使用以下角色: Storage Blob Data Contributor , Storage Blob Data Reader 和存储Blob数据所有者。有关更多详细信息,请参阅here和here