具有托管身份的容器级别的Azure Data Lake gen2(Data Lake Storage)访问控制

时间:2020-10-20 12:39:30

标签: azure-data-lake azure-managed-identity

我尝试编写对Azure Data Lake gen2的授予角色的脚本。将其添加到服务帐户中没问题:

$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'

$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
    New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
    Write-Host "Access to blob storage for data factory was granted"
}
else
{
    Write-Host "Access to blob storage for data factory has already been granted"
}

问题是我想获得容器级别的最高权限-而不是服务帐户级别。上面的脚本在容器级别生成: 父资源(继承) ,但需要的是: 此资源 。< / p>

我可以通过门户网站完成此操作,但对我的情况而言不是有效的解决方案。

1 个答案:

答案 0 :(得分:1)

如果要获得容器级别的大权限,请参考以下脚本

Connect-AzAccount

$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName

$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>

$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"

$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
    New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
    Write-Host "Access to blob storage for data factory was granted"
}
else
{
    Write-Host "Access to blob storage for data factory has already been granted"
}

enter image description here

此外,请注意,如果要使用AD身份验证访问Azure Blob,则需要使用以下角色: Storage Blob Data Contributor Storage Blob Data Reader 存储Blob数据所有者。有关更多详细信息,请参阅herehere

相关问题
最新问题